HAX CMS has Unauthenticated Git Access via User-Controlled Key

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Description

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 2.0.0 and prior to version 26.0.0, the gitlist plugin is exposed to unauthenticated users, allowing unauthenticated browsing of git repositories and git history. Version 26.0.0 patches the issue.

Basic Information

ID CVE-2026-46390

Source GitHub_M

Published Jun 5, 2026 at 18:16

Affected Product

Vendor haxtheweb

Product haxcms-php

Version >= 2.0.0, < 26.0.0

Affected Versions haxtheweb haxcms-php >= 2.0.0, < 26.0.0

CWE Classification

CWE-639

References

github.com /haxtheweb/issues/security/advisories/GHSA-6434-8rch-w65c

{
    "lastseen": "",
    "description": "HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 2.0.0 and prior to version 26.0.0, the gitlist plugin is exposed to unauthenticated users, allowing unauthenticated browsing of git repositories and git history. Version 26.0.0 patches the issue.",
    "published": "2026-06-05T18:16:17.100Z",
    "modified": "2026-06-05T18:16:17.100Z",
    "type": "cve",
    "title": "HAX CMS has Unauthenticated Git Access via User-Controlled Key",
    "source": "GitHub_M",
    "references": "https://github.com/haxtheweb/issues/security/advisories/GHSA-6434-8rch-w65c",
    "id": "CVE-2026-46390",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "haxtheweb haxcms-php >= 2.0.0, < 26.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "haxcms-php",
    "version": ">= 2.0.0, < 26.0.0",
    "vendor": "haxtheweb",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

HAX CMS has Unauthenticated Git Access via User-Controlled Key_CVE-2026-46390