{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/haxcms/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["haxcms-nodejs (\u003c= 25.0.0)"],"_cs_severities":["critical"],"_cs_tags":["haxcms","xss","account-takeover"],"_cs_type":"advisory","_cs_vendors":["HAXtheWeb"],"content_html":"\u003cp\u003eHAXcms is vulnerable to a critical account takeover vulnerability stemming from a combination of stored XSS and insecure token handling. The vulnerability, present in versions 25.0.0 and earlier, allows an authenticated attacker to inject malicious JavaScript code into a page that, when viewed by another user, exfiltrates that user\u0026rsquo;s authentication tokens. The \u003ccode\u003e/system/api/connectionSettings\u003c/code\u003e endpoint dynamically leaks sensitive tokens into a global JavaScript variable (\u003ccode\u003ewindow.appSettings\u003c/code\u003e), which can be accessed and stolen via XSS. This vulnerability allows for complete cross-tenant account hijacking, enabling attackers to perform administrative actions without needing the victim\u0026rsquo;s password.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the HAXcms application with valid credentials.\u003c/li\u003e\n\u003cli\u003eAttacker injects malicious JavaScript code via a stored XSS vulnerability, such as within an iframe\u0026rsquo;s \u003ccode\u003esrcdoc\u003c/code\u003e or through a \u003ccode\u003e\u0026lt;video-player\u0026gt;\u003c/code\u003e tag, on a page they have write access to.\u003c/li\u003e\n\u003cli\u003eThe victim user views the compromised page.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript executes in the victim\u0026rsquo;s browser context.\u003c/li\u003e\n\u003cli\u003eThe JavaScript fetches the victim\u0026rsquo;s connection settings via \u003ccode\u003efetch('/\u0026lt;username\u0026gt;/system/api/connectionSettings')\u003c/code\u003e, which includes the victim\u0026rsquo;s valid JWT and tokens.\u003c/li\u003e\n\u003cli\u003eThe JavaScript parses the \u003ccode\u003ejwt\u003c/code\u003e, \u003ccode\u003euser_token\u003c/code\u003e, \u003ccode\u003esite_token\u003c/code\u003e, and \u003ccode\u003eappstore_token\u003c/code\u003e from the response.\u003c/li\u003e\n\u003cli\u003eThe JavaScript encodes the stolen tokens (including \u003ccode\u003ejwt\u003c/code\u003e, \u003ccode\u003euser_token\u003c/code\u003e, \u003ccode\u003esite_token\u003c/code\u003e, and \u003ccode\u003eappstore_token\u003c/code\u003e) using Base64 encoding.\u003c/li\u003e\n\u003cli\u003eThe JavaScript exfiltrates the encoded tokens to an attacker-controlled webhook using an image request to bypass CORS. The attacker now has the ability to impersonate the victim and perform administrative actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows for complete account hijacking. An attacker who successfully exploits this vulnerability can impersonate a victim user without needing their password. This gives the attacker the ability to perform malicious administrative actions, such as creating or deleting sites, modifying user access, and uploading malicious content. The reliance on \u003ccode\u003ewindow.appSettings\u003c/code\u003e for storing long-lived administrative tokens creates a critical vulnerability when combined with XSS.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect HAXcms Connection Settings Request\u003c/code\u003e to detect requests to the \u003ccode\u003e/system/api/connectionSettings\u003c/code\u003e endpoint from unusual sources, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect HAXcms Token Exfiltration via Webhook\u003c/code\u003e to detect attempts to exfiltrate the tokens to external webhooks.\u003c/li\u003e\n\u003cli\u003eEnsure that all HAXcms instances are updated to a patched version that addresses this vulnerability to prevent CVE-2026-46511 exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T14:48:29Z","date_published":"2026-05-19T14:48:29Z","id":"https://feed.craftedsignal.io/briefs/2026-05-haxcms-token-exfil/","summary":"HAXcms is vulnerable to stored XSS and exposes authentication tokens in the `/system/api/connectionSettings` endpoint, allowing an attacker to perform cross-tenant account takeover by injecting malicious JavaScript to steal the `jwt`, `user_token`, `site_token`, and `appstore_token`.","title":"HAXcms Cross-Tenant Account Takeover via Stored XSS and Token Exposure","url":"https://feed.craftedsignal.io/briefs/2026-05-haxcms-token-exfil/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@haxtheweb/haxcms-nodejs (\u003c= 25.0.0)"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-46395","haxcms","key-disclosure","jwt","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["HAXtheWeb"],"content_html":"\u003cp\u003eThe \u003ccode\u003ehmacBase64()\u003c/code\u003e function in the HAXcms Node.js backend contains two critical cryptographic implementation errors. First, the function passes the literal string \u0026ldquo;0\u0026rdquo; as the HMAC signing key instead of the intended key parameter, resulting in identical HMACs across all HAXcms instances for the same input. Second, after computing the HMAC, the function concatenates the actual signing secret (\u003ccode\u003ethis.privateKey + this.salt\u003c/code\u003e) directly onto the output. This design flaw allows any unauthenticated attacker to extract the system’s private signing key, forge arbitrary admin-level JSON Web Tokens (JWTs), and gain full admin access with a single HTTP request. The vulnerability affects \u003ccode\u003e@haxtheweb/haxcms-nodejs\u003c/code\u003e versions 25.0.0 and earlier. This vulnerability is tracked as CVE-2026-46395.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends an unauthenticated GET request to the \u003ccode\u003e/system/api/connectionSettings\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe server responds with JSON data containing multiple tokens generated by the flawed \u003ccode\u003ehmacBase64()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts one of these tokens from the response.\u003c/li\u003e\n\u003cli\u003eThe attacker base64-decodes the token.\u003c/li\u003e\n\u003cli\u003eThe attacker discards the first 32 bytes of the decoded token (the HMAC).\u003c/li\u003e\n\u003cli\u003eThe attacker reads the remaining bytes as a UTF-8 string, which contains the \u003ccode\u003eprivateKey+salt\u003c/code\u003e secret.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted \u003ccode\u003eprivateKey+salt\u003c/code\u003e to forge a JWT with admin privileges using \u003ccode\u003eJWT.sign(payload, this.privateKey+this.salt)\u003c/code\u003e. The forged JWT contains a payload specifying \u003ccode\u003eid\u003c/code\u003e, \u003ccode\u003euser\u003c/code\u003e (set to \u0026ldquo;admin\u0026rdquo;), \u003ccode\u003eiat\u003c/code\u003e (current timestamp), and \u003ccode\u003eexp\u003c/code\u003e (expiration timestamp).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the forged JWT to access authenticated endpoints, performing actions such as creating, modifying, or deleting sites, and uploading files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker to gain full administrative control over a HAXcms instance. The attacker can create, modify, or delete sites, upload arbitrary files, and modify content without any login events being recorded. This attack bypasses any strong passwords set by the administrator. The vulnerability affects \u003ccode\u003e@haxtheweb/haxcms-nodejs\u003c/code\u003e versions 25.0.0 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule to detect requests to the \u003ccode\u003e/system/api/connectionSettings\u003c/code\u003e endpoint as an early warning of exploitation attempts.\u003c/li\u003e\n\u003cli\u003eApply patches or updates provided by HAXtheWeb for \u003ccode\u003e@haxtheweb/haxcms-nodejs\u003c/code\u003e to address CVE-2026-46395.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for abnormally long tokens which can indicate exploitation, correlate with the \u003ccode\u003eHAXcms Node.js Token Length Anomaly\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T14:46:30Z","date_published":"2026-05-19T14:46:30Z","id":"https://feed.craftedsignal.io/briefs/2026-05-haxcms-key-disclosure/","summary":"The HAXcms Node.js backend contains two cryptographic implementation errors in the `hmacBase64()` function that allow an unauthenticated attacker to extract the system’s private signing key and forge arbitrary admin-level JSON Web Tokens (JWTs) allowing them to get full admin access with a single HTTP request.","title":"HAXcms Node.js Backend Private Key Disclosure via Broken HMAC Implementation","url":"https://feed.craftedsignal.io/briefs/2026-05-haxcms-key-disclosure/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["HAXcms (\u003c= 25.0.0)"],"_cs_severities":["high"],"_cs_tags":["ssrf","haxcms","cve-2026-46393","vulnerability"],"_cs_type":"advisory","_cs_vendors":["HAXTheWeb"],"content_html":"\u003cp\u003eHAXcms (v11.0.6) is vulnerable to Server-Side Request Forgery (SSRF) via the \u003ccode\u003ecreateSite\u003c/code\u003e endpoint due to insufficient validation of the \u003ccode\u003ebuild.files\u003c/code\u003e parameter. An authenticated user can supply arbitrary URLs or local file paths, which are then fetched server-side using \u003ccode\u003efile_get_contents()\u003c/code\u003e without validation. This allows for reading arbitrary files, accessing internal network services, and potentially exposing cloud credentials through metadata endpoints. This vulnerability was disclosed in GHSA-q862-gcgq-5m6g and is tracked as CVE-2026-46393. Exploitation requires an authenticated session, but default credentials are often present on fresh installs, lowering the barrier to entry.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the HAXcms application using credentials (default \u003ccode\u003eadmin/admin\u003c/code\u003e may work on fresh installs).\u003c/li\u003e\n\u003cli\u003eThe attacker obtains a valid JWT and CSRF token from the authenticated session.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to the \u003ccode\u003e/createSite\u003c/code\u003e endpoint with a JSON payload.\u003c/li\u003e\n\u003cli\u003eThe payload includes a \u003ccode\u003ebuild.files\u003c/code\u003e parameter containing a filename (e.g., \u003ccode\u003epoc.txt\u003c/code\u003e) as the key and a \u003ccode\u003etmp_name\u003c/code\u003e value set to the target URL or file path (e.g., \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/iam/security-credentials/\u003c/code\u003e or \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe HAXcms server processes the \u003ccode\u003ebuild.files\u003c/code\u003e parameter, extracting the \u003ccode\u003etmp_name\u003c/code\u003e value without validation.\u003c/li\u003e\n\u003cli\u003eThe server uses \u003ccode\u003efile_get_contents()\u003c/code\u003e to fetch the content from the URL or file path specified in \u003ccode\u003etmp_name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe fetched content is saved to the \u003ccode\u003esites/\u0026lt;sitename\u0026gt;/files/\u0026lt;filename\u0026gt;\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the content by sending a GET request to \u003ccode\u003esites/\u0026lt;sitename\u0026gt;/files/\u0026lt;filename\u0026gt;\u003c/code\u003e, thus achieving arbitrary file read or access to internal resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis SSRF vulnerability can be exploited by any authenticated user to access sensitive information. Successful exploitation allows attackers to read arbitrary files from the server\u0026rsquo;s file system (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e, application configuration files), access internal network services, and potentially expose cloud credentials through metadata endpoints like \u003ccode\u003ehttp://169.254.169.254\u003c/code\u003e. This could lead to complete compromise of the server and potentially the associated cloud environment. The affected package \u003ccode\u003enpm/@haxtheweb/haxcms-nodejs\u003c/code\u003e (vulnerable: \u0026lt;= 25.0.0) means that many instances of HAXcms may be affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or updates to HAXcms to address CVE-2026-46393.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/createSite\u003c/code\u003e with suspicious URLs or file paths in the \u003ccode\u003ebuild.files\u003c/code\u003e parameter, using the Sigma rule \u003ccode\u003eDetect HAXcms createSite SSRF Attempt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInspect network connections originating from the HAXcms server for connections to internal IP addresses or cloud metadata endpoints like 169.254.169.254, as highlighted in the IOC section.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation on the \u003ccode\u003ebuild.files\u003c/code\u003e parameter of the \u003ccode\u003e/createSite\u003c/code\u003e endpoint to prevent arbitrary URL and file path injection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T14:44:52Z","date_published":"2026-05-19T14:44:52Z","id":"https://feed.craftedsignal.io/briefs/2026-05-haxcms-ssrf/","summary":"HAXcms is vulnerable to Server-Side Request Forgery (SSRF) via the createSite endpoint, allowing an authenticated user to supply arbitrary URLs or local file paths, which are fetched server-side without validation and written to a web-accessible directory, enabling arbitrary file read, internal network access, and cloud credential exposure; this vulnerability is tracked as CVE-2026-46393.","title":"HAXcms createSite SSRF Enables Arbitrary File Read","url":"https://feed.craftedsignal.io/briefs/2026-05-haxcms-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Haxcms","version":"https://jsonfeed.org/version/1.1"}