CVE-2026-46398: CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in haxtheweb haxcms-php
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and prior to version 26.0.0, the haxcms_refresh_token cookie is set without the Secure flag. This allows it to be transmitted over unencrypted HTTP, making it vulnerable to theft via packet sniffing on the network. Version 26.0.0 fixes the issue.
AI Analysis
Technical Summary
The vulnerability CVE-2026-46398 affects haxcms-php versions starting from 25.0.0 up to but not including 26.0.0. The haxcms_refresh_token cookie is set without the Secure flag, allowing it to be sent over unencrypted HTTP connections. This behavior violates best practices for sensitive cookies in HTTPS sessions, as described by CWE-614. The absence of the Secure attribute increases the risk of cookie theft through network interception. Version 26.0.0 of haxcms-php addresses this issue by properly setting the Secure flag on the cookie.
Potential Impact
An attacker capable of intercepting network traffic between the client and server could capture the haxcms_refresh_token cookie if transmitted over HTTP, potentially leading to session hijacking or unauthorized access. The vulnerability does not require user interaction or privileges and can be exploited remotely over the network. The CVSS 4.0 base score is 8.8 (high), reflecting the ease of exploitation and the potential impact on confidentiality.
Mitigation Recommendations
Upgrade haxcms-php to version 26.0.0 or later, where the haxcms_refresh_token cookie is set with the Secure attribute. This official fix ensures the cookie is only transmitted over encrypted HTTPS connections, mitigating the risk of interception. Until the upgrade is applied, avoid using unencrypted HTTP connections to access the application to reduce exposure.
CVE-2026-46398: CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in haxtheweb haxcms-php
Description
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and prior to version 26.0.0, the haxcms_refresh_token cookie is set without the Secure flag. This allows it to be transmitted over unencrypted HTTP, making it vulnerable to theft via packet sniffing on the network. Version 26.0.0 fixes the issue.
CVSS v4.0
Score 8.8high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-46398 affects haxcms-php versions starting from 25.0.0 up to but not including 26.0.0. The haxcms_refresh_token cookie is set without the Secure flag, allowing it to be sent over unencrypted HTTP connections. This behavior violates best practices for sensitive cookies in HTTPS sessions, as described by CWE-614. The absence of the Secure attribute increases the risk of cookie theft through network interception. Version 26.0.0 of haxcms-php addresses this issue by properly setting the Secure flag on the cookie.
Potential Impact
An attacker capable of intercepting network traffic between the client and server could capture the haxcms_refresh_token cookie if transmitted over HTTP, potentially leading to session hijacking or unauthorized access. The vulnerability does not require user interaction or privileges and can be exploited remotely over the network. The CVSS 4.0 base score is 8.8 (high), reflecting the ease of exploitation and the potential impact on confidentiality.
Mitigation Recommendations
Upgrade haxcms-php to version 26.0.0 or later, where the haxcms_refresh_token cookie is set with the Secure attribute. This official fix ensures the cookie is only transmitted over encrypted HTTPS connections, mitigating the risk of interception. Until the upgrade is applied, avoid using unencrypted HTTP connections to access the application to reduce exposure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-13T21:04:10.931Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a232492e29bf47b50b16f64
Added to database: 6/5/2026, 7:33:38 PM
Last enriched: 6/5/2026, 7:48:44 PM
Last updated: 6/5/2026, 8:47:07 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.