CVE-2026-46390
HAX CMS has Unauthenticated Git Access via User-Controlled Key
CVSS Score
0.0
EPSS Score
0.1%
EPSS Percentile
16th
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 2.0.0 and prior to version 26.0.0, the gitlist plugin is exposed to unauthenticated users, allowing unauthenticated browsing of git repositories and git history. Version 26.0.0 patches the issue.
| CWE | CWE-639 |
| Vendor | haxtheweb |
| Product | haxcms-php |
| Published | Jun 5, 2026 |
| Last Updated | Jun 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for haxtheweb haxcms-php
Be the first to know when new unknown vulnerabilities affecting haxtheweb haxcms-php are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
haxtheweb / haxcms-php
>= 2.0.0, < 26.0.0