CVE-2026-46393

Name of the Vulnerable Software and Affected Versions HAX CMS versions prior to 26.0.0

Description An authenticated Server-Side Request Forgery (SSRF) allows users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access. The issue exists in the '/createSite' endpoint, where the build.files parameter accepts arbitrary URLs or local file paths. This input is processed without validation and fetched server-side using the file get contents() function. Because the bulk-import flag bypasses is uploaded file() validation, attackers can use various URL schemes to access external URLs, internal services, cloud metadata endpoints, or local file paths. The fetched content is then written to the 'sites//files/' directory, making it accessible via the web.

Recommendations Update to version 26.0.0. Avoid using the build.files parameter in the '/createSite' endpoint until the update is applied.