VIR Vulnerability Intelligence Relay

Package impact

npm npm / @haxtheweb/haxcms-nodejs

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Flags OS Vendor Published Description
CVE-2026-46395 critical 9.5 10d ago HAXcms: Private Key Disclosure via Broken HMAC Implementation
CVE-2026-48527 high 8.7 8.7 12h ago HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting (XSS) vulnerability in the `/system/api/saveNode…
CVE-2026-46511 high 8.0 10d ago HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack
CVE-2026-46396 high 8.0 10d ago Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover
CVE-2026-46393 high 8.0 10d ago HAXcms createSite SSRF Enables Arbitrary File Read
CVE-2026-46357 medium 5.5 10d ago HAX CMS: Denial of Service using Malicious Import Request
CVE-2026-46496 medium 5.5 10d ago HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft
CVE-2026-22704 unknown 5mo ago HAXcms Has Stored XSS Vulnerability that May Lead to Account Takeover
CVE-2025-54378 unknown 10mo ago HAX CMS API Lacks Authorization Checks
CVE-2025-54139 unknown 10mo ago HAX CMS application pages vulnerable to clickjacking
CVE-2025-54137 unknown 10mo ago NodeJS version of the HAX CMS application is distributed with Default Secrets
CVE-2025-54134 unknown 10mo ago HAX CMS NodeJS Application Has Improper Error Handling That Leads to Denial of Service
CVE-2025-54128 unknown 10mo ago NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting
CVE-2025-54127 unknown 10mo ago NodeJS version of HAX CMS Has Insecure Default Configuration That Leads to Unauthenticated Access
CVE-2025-49141 unknown 1y ago HaxCMS-PHP Command Injection Vulnerability
CVE-2025-49139 unknown 1y ago @haxtheweb/haxcms-nodejs Iframe Phishing vulnerability