A vulnerability categorized as critical has been discovered in haxtheweb haxcms-php and haxcms-nodejs up to 25.x . This affects an unknown function of the file site.json of the component saveOutline Endpoint . Executing a manipulation of the argument location can lead to path traversal. This vulnerability is tracked as CVE-2026-46397 . The attack can be launched remotely. No exploit exists. It is advisable to upgrade the affected component.