Description
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 11.0.6 and prior to version 25.0.0, the file upload functionality in HAXCMS PHP only validates file extensions using a regex pattern without checking the actual file content or MIME type. This allows attackers to upload malicious files (e.g., PHP webshells) disguised as legitimate image files, potentially leading to remote code execution. Version 25.0.0 contains a fix for the issue.
Published: 2026-06-05
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a file upload validation bypass in HAXCMS PHP, which allows attackers to upload files with spoofed image extensions while the content is not validated. This flaw permits the uploading of malicious PHP code that can run on the web server, leading to remote code execution if an attacker can place a script on the server. The weakness is classified as CWE‑434, a missing file type validation flaw.

Affected Systems

Affected servers are those running HAXCMS PHP versions 11.0.6 through just before 25.0.0. Users who have not upgraded beyond 25.0.0 remain exposed while using the PHP backend that supports file uploads. The fix is included in version 25.0.0 and later, making it a clear upgrade path.

Risk and Exploitability

The CVSS score of 8.7 denotes a high severity risk, and with a public upload interface the attack vector is remote over the web. Because the flaw accepts any content disguised as an image, an attacker can upload a web shell or other executable payload and trigger its execution by accessing the file via HTTP, potentially compromising the entire application. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, but the severity still warrants prompt action.

Generated by OpenCVE AI on June 5, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HAXCMS PHP to version 25.0.0 or later to apply the fixed upload validation logic.
  • If upgrading immediately is not feasible, temporarily disable the file upload feature or restrict it to trusted users only.
  • As an additional defensive measure, configure the web server to verify MIME types and block execution of non-executable uploads on the server sides.

Generated by OpenCVE AI on June 5, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Haxtheweb
Haxtheweb haxcms-php
Vendors & Products Haxtheweb
Haxtheweb haxcms-php

Fri, 05 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 11.0.6 and prior to version 25.0.0, the file upload functionality in HAXCMS PHP only validates file extensions using a regex pattern without checking the actual file content or MIME type. This allows attackers to upload malicious files (e.g., PHP webshells) disguised as legitimate image files, potentially leading to remote code execution. Version 25.0.0 contains a fix for the issue.
Title HAXCMS PHP has a File Upload Validation Bypass
Weaknesses CWE-434
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Haxtheweb Haxcms-php
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T19:15:29.745Z

Reserved: 2026-05-13T21:04:10.932Z

Link: CVE-2026-46400

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-05T20:17:34.073

Modified: 2026-06-05T20:48:21.200

Link: CVE-2026-46400

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T20:45:04Z

Weaknesses