The vulnerability identified as CVE-2026-46493 affects haxtheweb's haxcms-php before version 26.0.1. It involves the use of the PHP function uniqid for salt generation, which is considered a cryptographically weak PRNG (CWE-338). This weak randomness can undermine cryptographic strength, potentially allowing attackers to predict or reproduce salts used in security mechanisms. The issue is resolved in version 26.0.1, which replaces the weak PRNG with a more secure method.

The use of a weak PRNG for salt generation can lead to predictable salts, reducing the effectiveness of cryptographic protections such as hashing or encryption salts. This can increase the risk of successful attacks that rely on predicting or reproducing these salts, potentially compromising confidentiality. The CVSS score of 7.5 reflects a high impact on confidentiality with no impact on integrity or availability. No known exploits have been reported.

Upgrade haxcms-php to version 26.0.1 or later, where the use of the weak PRNG uniqid for salt generation has been replaced with a secure alternative. Since this is a software vulnerability and not a cloud service, remediation requires applying the official update. Patch status is not explicitly stated but the fix is included in version 26.0.1. Check the vendor's official release notes or advisory for confirmation and further guidance.