https://feed.craftedsignal.io/tags/haxcms/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 19 May 2026 14:48:29 +0000https://feed.craftedsignal.io/briefs/2026-05-haxcms-token-exfil/Tue, 19 May 2026 14:48:29 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-haxcms-token-exfil/HAXcms is vulnerable to stored XSS and exposes authentication tokens in the `/system/api/connectionSettings` endpoint, allowing an attacker to perform cross-tenant account takeover by injecting malicious JavaScript to steal the `jwt`, `user_token`, `site_token`, and `appstore_token`.HAXcms is vulnerable to a critical account takeover vulnerability stemming from a combination of stored XSS and insecure token handling. The vulnerability, present in versions 25.0.0 and earlier, allows an authenticated attacker to inject malicious JavaScript code into a page that, when viewed by another user, exfiltrates that user’s authentication tokens. The /system/api/connectionSettings endpoint dynamically leaks sensitive tokens into a global JavaScript variable (window.appSettings), which can be accessed and stolen via XSS. This vulnerability allows for complete cross-tenant account hijacking, enabling attackers to perform administrative actions without needing the victim’s password.

Attack Chain

1. Attacker authenticates to the HAXcms application with valid credentials.
2. Attacker injects malicious JavaScript code via a stored XSS vulnerability, such as within an iframe’s srcdoc or through a <video-player> tag, on a page they have write access to.
3. The victim user views the compromised page.
4. The injected JavaScript executes in the victim’s browser context.
5. The JavaScript fetches the victim’s connection settings via fetch('/<username>/system/api/connectionSettings'), which includes the victim’s valid JWT and tokens.
6. The JavaScript parses the jwt, user_token, site_token, and appstore_token from the response.
7. The JavaScript encodes the stolen tokens (including jwt, user_token, site_token, and appstore_token) using Base64 encoding.
8. The JavaScript exfiltrates the encoded tokens to an attacker-controlled webhook using an image request to bypass CORS. The attacker now has the ability to impersonate the victim and perform administrative actions.

Impact

This vulnerability allows for complete account hijacking. An attacker who successfully exploits this vulnerability can impersonate a victim user without needing their password. This gives the attacker the ability to perform malicious administrative actions, such as creating or deleting sites, modifying user access, and uploading malicious content. The reliance on window.appSettings for storing long-lived administrative tokens creates a critical vulnerability when combined with XSS.

Recommendation

• Deploy the Sigma rule Detect HAXcms Connection Settings Request to detect requests to the /system/api/connectionSettings endpoint from unusual sources, and tune for your environment.
• Deploy the Sigma rule Detect HAXcms Token Exfiltration via Webhook to detect attempts to exfiltrate the tokens to external webhooks.
• Ensure that all HAXcms instances are updated to a patched version that addresses this vulnerability to prevent CVE-2026-46511 exploitation.

]]>criticaladvisoryhaxcmsxssaccount-takeoverhttps://feed.craftedsignal.io/briefs/2026-05-haxcms-key-disclosure/Tue, 19 May 2026 14:46:30 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-haxcms-key-disclosure/The HAXcms Node.js backend contains two cryptographic implementation errors in the `hmacBase64()` function that allow an unauthenticated attacker to extract the system’s private signing key and forge arbitrary admin-level JSON Web Tokens (JWTs) allowing them to get full admin access with a single HTTP request.The hmacBase64() function in the HAXcms Node.js backend contains two critical cryptographic implementation errors. First, the function passes the literal string “0” as the HMAC signing key instead of the intended key parameter, resulting in identical HMACs across all HAXcms instances for the same input. Second, after computing the HMAC, the function concatenates the actual signing secret (this.privateKey + this.salt) directly onto the output. This design flaw allows any unauthenticated attacker to extract the system’s private signing key, forge arbitrary admin-level JSON Web Tokens (JWTs), and gain full admin access with a single HTTP request. The vulnerability affects @haxtheweb/haxcms-nodejs versions 25.0.0 and earlier. This vulnerability is tracked as CVE-2026-46395.

Attack Chain

1. The attacker sends an unauthenticated GET request to the /system/api/connectionSettings endpoint.
2. The server responds with JSON data containing multiple tokens generated by the flawed hmacBase64() function.
3. The attacker extracts one of these tokens from the response.
4. The attacker base64-decodes the token.
5. The attacker discards the first 32 bytes of the decoded token (the HMAC).
6. The attacker reads the remaining bytes as a UTF-8 string, which contains the privateKey+salt secret.
7. The attacker uses the extracted privateKey+salt to forge a JWT with admin privileges using JWT.sign(payload, this.privateKey+this.salt). The forged JWT contains a payload specifying id, user (set to “admin”), iat (current timestamp), and exp (expiration timestamp).
8. The attacker uses the forged JWT to access authenticated endpoints, performing actions such as creating, modifying, or deleting sites, and uploading files.

Impact

Successful exploitation allows an unauthenticated attacker to gain full administrative control over a HAXcms instance. The attacker can create, modify, or delete sites, upload arbitrary files, and modify content without any login events being recorded. This attack bypasses any strong passwords set by the administrator. The vulnerability affects @haxtheweb/haxcms-nodejs versions 25.0.0 and earlier.

Recommendation

• Deploy the Sigma rule to detect requests to the /system/api/connectionSettings endpoint as an early warning of exploitation attempts.
• Apply patches or updates provided by HAXtheWeb for @haxtheweb/haxcms-nodejs to address CVE-2026-46395.
• Monitor web server logs for abnormally long tokens which can indicate exploitation, correlate with the HAXcms Node.js Token Length Anomaly Sigma rule.

]]>criticaladvisorycve-2026-46395haxcmskey-disclosurejwtprivilege-escalationhttps://feed.craftedsignal.io/briefs/2026-05-haxcms-ssrf/Tue, 19 May 2026 14:44:52 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-haxcms-ssrf/HAXcms is vulnerable to Server-Side Request Forgery (SSRF) via the createSite endpoint, allowing an authenticated user to supply arbitrary URLs or local file paths, which are fetched server-side without validation and written to a web-accessible directory, enabling arbitrary file read, internal network access, and cloud credential exposure; this vulnerability is tracked as CVE-2026-46393.HAXcms (v11.0.6) is vulnerable to Server-Side Request Forgery (SSRF) via the createSite endpoint due to insufficient validation of the build.files parameter. An authenticated user can supply arbitrary URLs or local file paths, which are then fetched server-side using file_get_contents() without validation. This allows for reading arbitrary files, accessing internal network services, and potentially exposing cloud credentials through metadata endpoints. This vulnerability was disclosed in GHSA-q862-gcgq-5m6g and is tracked as CVE-2026-46393. Exploitation requires an authenticated session, but default credentials are often present on fresh installs, lowering the barrier to entry.

Attack Chain

1. Attacker authenticates to the HAXcms application using credentials (default admin/admin may work on fresh installs).
2. The attacker obtains a valid JWT and CSRF token from the authenticated session.
3. The attacker crafts a POST request to the /createSite endpoint with a JSON payload.
4. The payload includes a build.files parameter containing a filename (e.g., poc.txt) as the key and a tmp_name value set to the target URL or file path (e.g., http://169.254.169.254/latest/meta-data/iam/security-credentials/ or /etc/passwd).
5. The HAXcms server processes the build.files parameter, extracting the tmp_name value without validation.
6. The server uses file_get_contents() to fetch the content from the URL or file path specified in tmp_name.
7. The fetched content is saved to the sites/<sitename>/files/<filename> directory.
8. The attacker retrieves the content by sending a GET request to sites/<sitename>/files/<filename>, thus achieving arbitrary file read or access to internal resources.

Impact

This SSRF vulnerability can be exploited by any authenticated user to access sensitive information. Successful exploitation allows attackers to read arbitrary files from the server’s file system (e.g., /etc/passwd, application configuration files), access internal network services, and potentially expose cloud credentials through metadata endpoints like http://169.254.169.254. This could lead to complete compromise of the server and potentially the associated cloud environment. The affected package npm/@haxtheweb/haxcms-nodejs (vulnerable: <= 25.0.0) means that many instances of HAXcms may be affected.

Recommendation

• Apply available patches or updates to HAXcms to address CVE-2026-46393.
• Monitor web server logs for POST requests to /createSite with suspicious URLs or file paths in the build.files parameter, using the Sigma rule Detect HAXcms createSite SSRF Attempt.
• Inspect network connections originating from the HAXcms server for connections to internal IP addresses or cloud metadata endpoints like 169.254.169.254, as highlighted in the IOC section.
• Implement strict input validation on the build.files parameter of the /createSite endpoint to prevent arbitrary URL and file path injection.

]]>highadvisoryssrfhaxcmscve-2026-46393vulnerability