CVE-2026-46394 in haxcms-php
Summary
by MITRE • 06/05/2026
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an OS command injection vulnerability exists in the Git.php library of the HAXcms PHP backend. The application constructs shell command strings using unsanitized input and executes them via proc_open(). An attacker who can control parameters passed into Git operations can execute arbitrary OS commands with the privileges of the web server. Out of 17 functions that invoke shell commands only 1 function (`commit()`) correctly uses `escapeshellarg()`. When combined with another vulnerability that allows configuration manipulation, this issue can lead to full remote code execution and complete system compromise. Version 26.0.0 patches the issue.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/05/2026
The HAX CMS platform presents a critical operating system command injection vulnerability within its PHP backend implementation prior to version 26.0.0. This flaw resides in the Git.php library where the application constructs shell command strings using unsanitized user input and subsequently executes these commands through the proc_open() function. The vulnerability stems from inadequate input validation and sanitization practices within the codebase, creating a pathway for malicious actors to inject arbitrary operating system commands that execute with the privileges of the web server process. The security issue is particularly concerning as it affects core Git operations within the content management system's microsite universe management capabilities.
The technical implementation of this vulnerability demonstrates a significant weakness in the application's command execution architecture where only a single function among seventeen that invoke shell commands properly employs the escapeshellarg() function for input sanitization. This inconsistency creates a predictable attack surface where any parameter passed to Git operations can be manipulated to inject malicious commands. The flaw operates at the intersection of CWE-78 and CWE-88, representing both improper neutralization of special elements used in OS commands and the execution of untrusted commands. The vulnerability's exploitation requires an attacker to control parameters passed into Git operations, which can be achieved through various attack vectors including configuration manipulation that may be present elsewhere in the application's architecture.
The operational impact of this vulnerability extends beyond simple command injection to potentially enable full remote code execution and complete system compromise when combined with additional vulnerabilities. An attacker who successfully exploits this flaw can execute arbitrary code on the server with the privileges of the web server process, potentially leading to data exfiltration, system enumeration, privilege escalation, and persistence mechanisms. The attack surface is particularly dangerous because it allows for arbitrary command execution with the web server's permissions, which may be sufficient to compromise the entire hosting environment. This vulnerability represents a critical threat to the security posture of any system running vulnerable versions of HAX CMS, as it provides a direct pathway for attackers to gain unauthorized access to the underlying infrastructure.
The remediation for this vulnerability requires updating to version 26.0.0 or later, which implements proper input sanitization techniques including the consistent application of escapeshellarg() across all shell command invocations. Organizations should also implement additional security controls such as input validation at multiple layers, privilege separation for web server processes, and regular security assessments of third-party libraries. The vulnerability demonstrates the importance of maintaining up-to-date software components and implementing proper secure coding practices including parameterized commands and input sanitization. Security teams should conduct comprehensive vulnerability assessments of similar applications and libraries to identify potential instances of command injection flaws, as this vulnerability aligns with ATT&CK technique T1059.001 for command and scripting interpreter and T1078.004 for valid accounts. The incident underscores the critical need for secure coding practices and proper input validation in web applications, particularly when dealing with external system interactions and shell command execution.