CVE-2026-46398

CVSS Score Not Available

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and prior to version 26.0.0, the haxcms_refresh_token cookie is set without the Secure flag. This allows it to be transmitted over unencrypted HTTP, making it vulnerable to theft via packet sniffing on the network. Version 26.0.0 fixes the issue.

Published: 6/5/2026

Modified: 6/5/2026

Back to CVE Lookup

Vulnerability Summary

CWE Classification

CWE-614

Related Vulnerabilities

Same Weakness Type(CWE-614)

CVE-2025-52608LOW 3.1

HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root.

6/4/2026

Learn More

CVSS Calculator

Calculate and understand CVSS scores

Understanding CVSS Scoring

Learn how severity scores are calculated and what they mean

CVE Prioritization Guide

Best practices for deciding which vulnerabilities to address first

What is a CVE?

Essential guide to Common Vulnerabilities and Exposures