CVE-2026-46398
Published: 05 June 2026
Summary
CVE-2026-46398 is a high-severity Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CWE-614) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 8.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-34893
Vulnerability details
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and prior to version 26.0.0, the haxcms_refresh_token cookie is set without the Secure flag. This allows it to be transmitted over unencrypted HTTP, making it…
more
vulnerable to theft via packet sniffing on the network. Version 26.0.0 fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Cookie without Secure flag directly enables theft of refresh token via network/packet sniffing (T1040).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.