CVE-2026-46397 in haxcms-php
Summary
by MITRE • 06/05/2026
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an Authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data). Version 26.0.0 patches the issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/06/2026
The HAX CMS represents a content management system designed to handle microsite universes with flexible backend support including both PHP and Node.js environments. This platform facilitates the creation and management of multiple interconnected websites through a unified administrative interface. The vulnerability under examination affects the saveOutline endpoint within the system's backend architecture, specifically targeting authenticated users who possess limited privileges within the CMS environment. The flaw exists in how the system processes user-supplied input when saving outline data to the site.json configuration file, creating a pathway for malicious manipulation that bypasses normal security controls.
The technical implementation of this local file inclusion vulnerability stems from insufficient input validation and sanitization within the saveOutline endpoint. When a user submits outline data through this interface, the system fails to properly validate or sanitize the location field parameter before writing it to the site.json file. This allows attackers to inject malicious file paths that reference system files accessible to the web server process. The vulnerability specifically affects the Node.js backend implementation, where the system's file handling mechanisms do not adequately restrict file access paths, enabling attackers to traverse the filesystem and access sensitive files that should remain protected. The flaw aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal attacks. The attack vector operates through the manipulation of the location field parameter, which is directly written to the site.json configuration file without proper validation, creating a persistent vulnerability that can be exploited by any authenticated user with sufficient privileges to access the outline saving functionality.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with access to critical system resources that could compromise the entire platform. Successful exploitation allows attackers to read sensitive files such as /etc/passwd, which contains user account information, application secrets stored in configuration files, and other sensitive data accessible to the www-data user account. This access enables attackers to gather intelligence about the system's user base, potentially leading to privilege escalation attacks or credential reuse attacks against other services. The vulnerability is particularly dangerous because it requires minimal privileges to exploit, making it accessible to users who might not have direct administrative access to the system. Attackers can leverage this weakness to extract database connection strings, API keys, encryption keys, and other sensitive configuration data that could be used to compromise the entire web application infrastructure. The persistent nature of the vulnerability means that once exploited, attackers can maintain access to read additional files over time, potentially leading to complete system compromise.
Mitigation of this vulnerability requires immediate implementation of version 26.0.0 or later, which includes proper input validation and sanitization for the saveOutline endpoint. Organizations should also implement additional security controls including strict file access restrictions, input validation at multiple layers, and regular security auditing of configuration files. The fix should incorporate proper path validation to prevent traversal attacks and ensure that all file paths written to configuration files are properly sanitized and restricted to legitimate application directories. Security monitoring should be implemented to detect unusual file access patterns and potential exploitation attempts. Additionally, organizations should review their authentication and authorization controls to ensure that users have appropriate least privilege access, limiting the potential impact of compromised accounts. The vulnerability demonstrates the importance of secure file handling practices and input validation in web applications, with implications for the broader security community. This issue aligns with ATT&CK technique T1213.002 for credential access through data from information repositories, and T1566.002 for social engineering through phishing attacks that may leverage this vulnerability to gain initial access to the system. Organizations should also consider implementing web application firewalls and additional network segmentation to limit the potential impact of such vulnerabilities.