|
241
|
- |
|
-
|
-
|
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the `hmacBase64()` function in the HAXcms Node.js backend contains two critical cryptographic implementat…
New
|
CWE-200
CWE-321
CWE-327
Information Exposure
Use of Hard-coded Cryptographic Key
Use of a Broken or Risky Cryptographic Algorithm
|
CVE-2026-46395
|
2026-06-6 05:17 |
2026-06-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
242
|
8.7 |
HIGH
Network
|
-
|
-
|
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions case-insensitively and writes the file…
New
|
CWE-178
CWE-434
Improper Handling of Case Sensitivity
Unrestricted Upload of File with Dangerous Type
|
CVE-2026-46392
|
2026-06-6 05:17 |
2026-06-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
243
|
4.3 |
MEDIUM
Network
|
misp
|
misp
|
A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enab…
New
|
CWE-200
Information Exposure
|
CVE-2026-10854
|
2026-06-6 04:51 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
244
|
10.0 |
CRITICAL
Network
|
-
|
-
|
UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in t…
New
|
CWE-287
CWE-303
Improper Authentication
Incorrect Implementation of Authentication Algorithm
|
CVE-2026-46389
|
2026-06-6 04:21 |
2026-06-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
245
|
9.8 |
CRITICAL
Network
|
-
|
-
|
The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including 1.9.4. This is due to a…
New
|
CWE-285
Improper Authorization
|
CVE-2026-10580
|
2026-06-6 04:20 |
2026-06-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
246
|
- |
|
-
|
-
|
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 2.0.0 and prior to version 26.0.0, the gitlist plugin is exposed to unauthenticated users, allowing unauthenti…
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-46390
|
2026-06-6 04:20 |
2026-06-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
247
|
- |
|
-
|
-
|
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis, multiple functions conduct substring-only matching …
New
|
CWE-183
CWE-918
Permissive List of Allowed Inputs
Server-Side Request Forgery (SSRF)
|
CVE-2026-46391
|
2026-06-6 04:20 |
2026-06-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
248
|
- |
|
-
|
-
|
HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 26.0.0 allows authenticated users to fetch …
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-46393
|
2026-06-6 04:20 |
2026-06-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
249
|
- |
|
-
|
-
|
HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of `<iframe>` el…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-46396
|
2026-06-6 04:20 |
2026-06-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
250
|
- |
|
-
|
-
|
HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this…
New
|
CWE-15
CWE-73
CWE-78
External Control of System or Configuration Setting
External Control of File Name or Path
OS Command
|
CVE-2026-46399
|
2026-06-6 04:20 |
2026-06-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
