← Back to feed
Update:
[MODERATE] GHSA-9r33-xhw8-4qqp: HAX CMS: Denial of Service using Malicious Import Request
GitHub Security Advisory·Security·SecurityFix·5/19/2026
### Summary The HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint. A single request is sufficient to take the entire application offline, requiring a manual server restart to restore service. ### Details Th
Why it matters → @haxtheweb/haxcms-nodejs released an update. Review the changelog for relevant changes.
Who should care → Teams using @haxtheweb/haxcms-nodejs.
@haxtheweb/haxcms-nodejsnode.js
View original source ↗Source payload preview
{
"ghsaId": "GHSA-9r33-xhw8-4qqp",
"summary": "HAX CMS: Denial of Service using Malicious Import Request",
"severity": "MODERATE",
"updatedAt": "2026-05-19T19:51:55Z",
"references": [
{
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-9r33-xhw8-4qqp"
},
{
"url": "https://github.com/advisories/GHSA-9r33-xhw8-4qqp"
}
],
"description": "### Summary\n\nThe HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint. A single request is sufficient to take the entire application offline, requiring a manual server restart to restore service.\n\n### Details\n\nThe `createSite` remote import flow does **not** complete end-to-end. Instead, the server crashes
…