CVE-2026-46357

Name of the Vulnerable Software and Affected Versions HAX CMS versions prior to 26.0.0

Description The NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the 'createSite' endpoint. This occurs because the createSite function passes a file object lacking the originalname property to the HAXCMSFile.save() function, which attempts to dereference it using .replace(), resulting in a TypeError. A single request is sufficient to take the entire application offline, requiring a manual server restart to restore service.

Recommendations Update to version 26.0.0.