{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-46393/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["HAXcms (\u003c= 25.0.0)"],"_cs_severities":["high"],"_cs_tags":["ssrf","haxcms","cve-2026-46393","vulnerability"],"_cs_type":"advisory","_cs_vendors":["HAXTheWeb"],"content_html":"\u003cp\u003eHAXcms (v11.0.6) is vulnerable to Server-Side Request Forgery (SSRF) via the \u003ccode\u003ecreateSite\u003c/code\u003e endpoint due to insufficient validation of the \u003ccode\u003ebuild.files\u003c/code\u003e parameter. An authenticated user can supply arbitrary URLs or local file paths, which are then fetched server-side using \u003ccode\u003efile_get_contents()\u003c/code\u003e without validation. This allows for reading arbitrary files, accessing internal network services, and potentially exposing cloud credentials through metadata endpoints. This vulnerability was disclosed in GHSA-q862-gcgq-5m6g and is tracked as CVE-2026-46393. Exploitation requires an authenticated session, but default credentials are often present on fresh installs, lowering the barrier to entry.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the HAXcms application using credentials (default \u003ccode\u003eadmin/admin\u003c/code\u003e may work on fresh installs).\u003c/li\u003e\n\u003cli\u003eThe attacker obtains a valid JWT and CSRF token from the authenticated session.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to the \u003ccode\u003e/createSite\u003c/code\u003e endpoint with a JSON payload.\u003c/li\u003e\n\u003cli\u003eThe payload includes a \u003ccode\u003ebuild.files\u003c/code\u003e parameter containing a filename (e.g., \u003ccode\u003epoc.txt\u003c/code\u003e) as the key and a \u003ccode\u003etmp_name\u003c/code\u003e value set to the target URL or file path (e.g., \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/iam/security-credentials/\u003c/code\u003e or \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe HAXcms server processes the \u003ccode\u003ebuild.files\u003c/code\u003e parameter, extracting the \u003ccode\u003etmp_name\u003c/code\u003e value without validation.\u003c/li\u003e\n\u003cli\u003eThe server uses \u003ccode\u003efile_get_contents()\u003c/code\u003e to fetch the content from the URL or file path specified in \u003ccode\u003etmp_name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe fetched content is saved to the \u003ccode\u003esites/\u0026lt;sitename\u0026gt;/files/\u0026lt;filename\u0026gt;\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the content by sending a GET request to \u003ccode\u003esites/\u0026lt;sitename\u0026gt;/files/\u0026lt;filename\u0026gt;\u003c/code\u003e, thus achieving arbitrary file read or access to internal resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis SSRF vulnerability can be exploited by any authenticated user to access sensitive information. Successful exploitation allows attackers to read arbitrary files from the server\u0026rsquo;s file system (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e, application configuration files), access internal network services, and potentially expose cloud credentials through metadata endpoints like \u003ccode\u003ehttp://169.254.169.254\u003c/code\u003e. This could lead to complete compromise of the server and potentially the associated cloud environment. The affected package \u003ccode\u003enpm/@haxtheweb/haxcms-nodejs\u003c/code\u003e (vulnerable: \u0026lt;= 25.0.0) means that many instances of HAXcms may be affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or updates to HAXcms to address CVE-2026-46393.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/createSite\u003c/code\u003e with suspicious URLs or file paths in the \u003ccode\u003ebuild.files\u003c/code\u003e parameter, using the Sigma rule \u003ccode\u003eDetect HAXcms createSite SSRF Attempt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInspect network connections originating from the HAXcms server for connections to internal IP addresses or cloud metadata endpoints like 169.254.169.254, as highlighted in the IOC section.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation on the \u003ccode\u003ebuild.files\u003c/code\u003e parameter of the \u003ccode\u003e/createSite\u003c/code\u003e endpoint to prevent arbitrary URL and file path injection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T14:44:52Z","date_published":"2026-05-19T14:44:52Z","id":"https://feed.craftedsignal.io/briefs/2026-05-haxcms-ssrf/","summary":"HAXcms is vulnerable to Server-Side Request Forgery (SSRF) via the createSite endpoint, allowing an authenticated user to supply arbitrary URLs or local file paths, which are fetched server-side without validation and written to a web-accessible directory, enabling arbitrary file read, internal network access, and cloud credential exposure; this vulnerability is tracked as CVE-2026-46393.","title":"HAXcms createSite SSRF Enables Arbitrary File Read","url":"https://feed.craftedsignal.io/briefs/2026-05-haxcms-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-46393","version":"https://jsonfeed.org/version/1.1"}