CVE-2026-46390
MEDIUMHAX CMS has Unauthenticated Git Access via User-Controlled Key
Title source: cnaDescription
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 2.0.0 and prior to version 26.0.0, the gitlist plugin is exposed to unauthenticated users, allowing unauthenticated browsing of git repositories and git history. Version 26.0.0 patches the issue.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/haxtheweb/issues/security/advisories/GHSA-6434-8rch-w65c
Scores
CVSS v4
6.9
EPSS
0.0025
EPSS Percentile
15.7%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-639
Status
published
Products (1)
haxtheweb/haxcms-php
>= 2.0.0, < 26.0.0
Published
Jun 05, 2026
Tracked Since
Jun 06, 2026