CVE-2026-46398
HIGHhaxtheweb haxcms-php - HAX CMS Missing Secure Flag on Cookie
Title source: ruleDescription
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and prior to version 26.0.0, the haxcms_refresh_token cookie is set without the Secure flag. This allows it to be transmitted over unencrypted HTTP, making it vulnerable to theft via packet sniffing on the network. Version 26.0.0 fixes the issue.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/haxtheweb/issues/security/advisories/GHSA-g7v2-r32q-jf5v
Scores
CVSS v4
8.8
EPSS
0.0018
EPSS Percentile
8.0%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-614
Status
published
Products (1)
haxtheweb/haxcms-php
>= 25.0.0, < 26.0.0
Published
Jun 05, 2026
Tracked Since
Jun 06, 2026