Description
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions case-insensitively and writes the filename to disk verbatim, but the `.htaccess` rule that forces `Content-Disposition: attachment` on HTML files is case-sensitive. An HTML file uploaded with an uppercase extension (`.HTML`, `.Html`, `.HTM`) is still served as `text/html` but the forced-download header never applies, so the browser renders it inline and executes any embedded JavaScript in the HAXcms origin. This bypasses the mitigation shipped for CVE-2026-22704. Version 26.0.0 contains a fix.
Published: 2026-06-05
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An injection flaw in HAX CMS PHP allows an attacker to store a malicious script that will execute in the victims' browsers when the uploaded file is viewed. The vulnerability stems from a case‑sensitivity mismatch between the file‑extension validation logic and the .htaccess rule that forces HTML downloads. Files uploaded with an upper‑case extension are written to disk but still served with the text/html content type, allowing inline rendering and script execution. The flaw is classified as a high‑severity stored cross‑site scripting flaw (CWE-178) coupled with insecure file upload handling (CWE-434).

Affected Systems

HAX CMS PHP installations running any version prior to 26.0.0 of the PHP backend are affected. Users with the legacy upload component exposed through the saveFile endpoint are at risk if they accept uploads of HTML files with mixed‑case extensions.

Risk and Exploitability

The CVSS score of 8.7 signals substantial impact potential. Attackers can exploit the flaw remotely by sending a crafted upload to the public saveFile endpoint. No exploitation data is currently listed in the CISA KEV catalog, and the EPSS score is not available, but the high severity suggests a significant risk, especially in environments where unauthenticated upload is permitted.

Generated by OpenCVE AI on June 5, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HAX CMS PHP to version 26.0.0 or later, which contains the corrected file‑extension validation and download enforcement.
  • Ensure that the .htaccess rule forces download for all HTML extensions in a case‑insensitive way, preventing inline rendering of any remaining mismatched files.
  • Scan the uploads directory for previously uploaded malicious HTML files and remove or quarantine them to eliminate stored threat vectors.

Generated by OpenCVE AI on June 5, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Haxtheweb
Haxtheweb haxcms-php
Vendors & Products Haxtheweb
Haxtheweb haxcms-php

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions case-insensitively and writes the filename to disk verbatim, but the `.htaccess` rule that forces `Content-Disposition: attachment` on HTML files is case-sensitive. An HTML file uploaded with an uppercase extension (`.HTML`, `.Html`, `.HTM`) is still served as `text/html` but the forced-download header never applies, so the browser renders it inline and executes any embedded JavaScript in the HAXcms origin. This bypasses the mitigation shipped for CVE-2026-22704. Version 26.0.0 contains a fix.
Title HAX CMS PHP Has a Stored XSS via Case-Sensitivity Mismatch in HTML Upload Validation
Weaknesses CWE-178
CWE-434
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Haxtheweb Haxcms-php
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T19:11:31.488Z

Reserved: 2026-05-13T19:53:47.922Z

Link: CVE-2026-46392

cve-icon Vulnrichment

Updated: 2026-06-05T19:11:11.675Z

cve-icon NVD

Status : Deferred

Published: 2026-06-05T19:16:33.160

Modified: 2026-06-05T20:17:33.480

Link: CVE-2026-46392

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T21:30:04Z

Weaknesses
  • CWE-178

    Improper Handling of Case Sensitivity

  • CWE-434

    Unrestricted Upload of File with Dangerous Type