CVE-2026-46357 Overview
CVE-2026-46357 is a denial of service vulnerability affecting HAX CMS, an open source content management system that manages microsite collections using PHP or NodeJS backends. The flaw resides in the NodeJS application's createSite endpoint. An authenticated attacker can submit a single specially crafted site creation request to crash the entire application. Recovery requires a manual server restart, leaving the platform offline until administrators intervene. The issue is tracked under [CWE-20] Improper Input Validation. Version 26.0.0 remediates the vulnerability.
Critical Impact
A single authenticated request to the createSite endpoint takes the HAX CMS NodeJS application offline until a manual server restart is performed.
Affected Products
- HAX CMS NodeJS backend prior to version 26.0.0
- HAX CMS deployments exposing the createSite API endpoint to authenticated users
- Microsite environments managed by vulnerable HAX CMS versions
Discovery Timeline
- 2026-06-05 - CVE-2026-46357 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-46357
Vulnerability Analysis
The vulnerability stems from improper input validation in the HAX CMS NodeJS createSite endpoint. The endpoint processes site creation requests without sufficiently validating the structure or content of incoming parameters. When an attacker submits a malformed payload, the NodeJS process throws an unhandled exception that terminates the application. The crash affects every tenant and microsite hosted on the instance, not just the requesting user's resources. Because the NodeJS runtime exits, all in-flight requests fail and no further traffic is served until an operator manually restarts the service.
Root Cause
The root cause is missing input validation and a lack of defensive error handling around the createSite request pipeline. The application accepts attacker-controlled fields and passes them into logic that triggers an unrecoverable runtime error. No try/catch boundary or input schema rejects the malformed request before it reaches the failing code path.
Attack Vector
Exploitation requires network access to the HAX CMS NodeJS instance and valid authenticated credentials. The attacker sends one HTTP request to the createSite endpoint containing the crafted payload. The server process crashes immediately, producing an availability-only impact with no confidentiality or integrity loss. See the GitHub Security Advisory GHSA-9r33-xhw8-4qqp for the full technical write-up.
Detection Methods for CVE-2026-46357
Indicators of Compromise
- Unexpected termination of the HAX CMS NodeJS process followed by service unavailability
- HTTP requests to the createSite endpoint immediately preceding a process crash
- Repeated createSite POST requests from a single authenticated session within a short window
- Process supervisor logs (systemd, pm2, Docker) showing abnormal NodeJS exits without prior shutdown signals
Detection Strategies
- Inspect application logs for unhandled exceptions originating from the createSite request handler
- Correlate authenticated API requests with NodeJS process restart events to identify trigger requests
- Deploy web application firewall rules that validate the JSON schema of site creation payloads before they reach the backend
Monitoring Recommendations
- Configure uptime monitoring with sub-minute polling against HAX CMS health endpoints to detect outages quickly
- Alert on NodeJS process exit codes and restart counts exceeding a baseline threshold
- Track per-user request rates against the createSite endpoint and flag anomalous bursts
- Forward HAX CMS application logs to a centralized logging platform for retroactive analysis of crash-inducing requests
How to Mitigate CVE-2026-46357
Immediate Actions Required
- Upgrade HAX CMS NodeJS deployments to version 26.0.0 or later, which fixes the input validation flaw
- Audit account inventory and remove unused or low-trust authenticated accounts that could send crafted requests
- Place the HAX CMS instance behind a reverse proxy or WAF that can enforce request schema validation
- Configure a process supervisor such as systemd, pm2, or a container restart policy to automatically restart the NodeJS process after a crash
Patch Information
The HAX CMS maintainers released version 26.0.0 to address CVE-2026-46357. Patch details and the full advisory are available in the HAX CMS GitHub Security Advisory. Administrators should review release notes and validate the upgrade in a staging environment before promoting to production.
Workarounds
- Restrict access to the createSite endpoint to trusted administrative accounts only until the patch is applied
- Add upstream input validation at a reverse proxy to reject malformed JSON payloads targeting createSite
- Enable automatic process restart via container orchestration or pm2 to minimize downtime if the crash is triggered
- Rate limit authenticated requests to site creation endpoints to slow repeated exploitation attempts
# Example pm2 ecosystem entry to auto-restart the HAX CMS NodeJS process
pm2 start server.js \
--name hax-cms \
--max-restarts 10 \
--restart-delay 3000 \
--exp-backoff-restart-delay 100
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
