Description
HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this vulnerability to configure malicious Git filter commands and achieve code execution on the HAX CMS server. Version 26.0.0 patches the issue.
Published: 2026-06-05
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an authenticated file overwrite flaw in the PHP backend of HAX CMS, which permits an attacker with valid credentials to replace critical configuration files. By configuring malicious Git filter commands, the attacker can trigger the execution of arbitrary code on the server. This flaw maps to CWE-15, CWE-73, and CWE-78 and results in full remote code execution, compromising confidentiality, integrity, and availability.

Affected Systems

HAX CMS from haxtheweb, specifically the PHP backend before version 26.0.0, is affected. The Node.js variant is also listed by the CNA, though the description focuses on PHP. Administrators should verify that their installation is on or above 26.0.0 or remove the vulnerable component.

Risk and Exploitability

The CVSS score of 9.4 denotes critical severity. While the EPSS score is not available, the lack of a KEV listing does not reduce the threat. Exploitation requires authenticated access to the CMS; an attacker can upload a crafted configuration file that the application interprets as a Git filter, leading to arbitrary command execution with the privileges of the web server. A single compromised account can subvert the entire installation.

Generated by OpenCVE AI on June 5, 2026 at 20:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HAX CMS to version 26.0.0 or later to apply the vendor‑supplied fix.
  • If an upgrade cannot be performed immediately, restrict write access to configuration directories and disable automatic processing of Git filter commands to prevent an attacker from deploying malicious payloads.
  • Conduct a security review of file upload controls and enforce strict file permission checks, ensuring that only authorized personnel can modify configuration files.

Generated by OpenCVE AI on June 5, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Haxtheweb
Haxtheweb haxcms-nodejs
Haxtheweb haxcms-php
Vendors & Products Haxtheweb
Haxtheweb haxcms-nodejs
Haxtheweb haxcms-php

Fri, 05 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this vulnerability to configure malicious Git filter commands and achieve code execution on the HAX CMS server. Version 26.0.0 patches the issue.
Title Authenticated Remote Code Execution via File Overwrite
Weaknesses CWE-15
CWE-73
CWE-78
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Haxtheweb Haxcms-nodejs Haxcms-php
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T18:13:15.808Z

Reserved: 2026-05-13T21:04:10.932Z

Link: CVE-2026-46399

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-05T19:16:33.960

Modified: 2026-06-05T19:20:19.607

Link: CVE-2026-46399

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T21:00:04Z

Weaknesses