Package impact
NPM / @haxtheweb/haxcms-nodejs
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-46395 | critical | — | 9.5 | 11d ago | HAXcms: Private Key Disclosure via Broken HMAC Implementation | |||
| CVE-2026-46511 | high | — | 8.0 | 11d ago | HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack | |||
| CVE-2026-46396 | high | — | 8.0 | 11d ago | Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover | |||
| CVE-2026-46393 | high | — | 8.0 | 11d ago | HAXcms createSite SSRF Enables Arbitrary File Read | |||
| CVE-2026-46357 | medium | — | 5.5 | 11d ago | HAX CMS: Denial of Service using Malicious Import Request | |||
| CVE-2026-46496 | medium | — | 5.5 | 11d ago | HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft |