CVE-2026-46399 in haxcms-nodejs
Summary
by MITRE • 06/05/2026
HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this vulnerability to configure malicious Git filter commands and achieve code execution on the HAX CMS server. Version 26.0.0 patches the issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/06/2026
The HAX CMS platform represents a sophisticated content management solution designed to handle complex microsite ecosystems through both php and nodejs backend implementations. This vulnerability analysis focuses specifically on the authenticated file overwrite flaw present in php versions prior to 26.0.0, which constitutes a critical security weakness that directly impacts the platform's integrity and operational security. The vulnerability exists within the file management subsystem of the php backend implementation, creating a pathway for malicious actors to manipulate the system's configuration files and subsequently execute arbitrary code on the target server.
The technical exploitation mechanism revolves around an authenticated file overwrite vulnerability that allows attackers with valid credentials to manipulate critical system files. This flaw specifically enables the configuration of malicious git filter commands through the compromised file overwrite functionality, bypassing normal security controls that would typically prevent such modifications. The vulnerability stems from inadequate input validation and insufficient access controls within the file management functions, allowing authenticated users to overwrite files that should remain protected from modification. This represents a classic case of insufficient authorization checks where the system fails to properly validate the context and intent of file modification requests, creating a privilege escalation vector that can be leveraged for code execution.
The operational impact of this vulnerability extends beyond simple file manipulation, as it provides attackers with a persistent foothold for further compromise within the HAX CMS environment. Once exploited, the malicious git filter commands can be configured to execute arbitrary code on the server, potentially leading to complete system compromise and unauthorized access to all managed microsites. The vulnerability affects the entire php backend infrastructure and can be particularly devastating in multi-tenant environments where multiple microsites share the same platform. Attackers can leverage this weakness to establish backdoors, exfiltrate sensitive data, or use the compromised server as a launch point for attacks against other systems within the network infrastructure.
The mitigation strategy centers entirely on upgrading to version 26.0.0 or later, which implements proper file validation and access control mechanisms to prevent unauthorized file overwrites. Security administrators should also implement additional monitoring controls to detect suspicious file modification activities and establish network segmentation to limit the potential impact of successful exploitation. The vulnerability aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-73 (External Control of File Name or Path) categories, representing a clear violation of secure file handling principles. From an att&ck framework perspective, this vulnerability maps to T1059.006 (Command and Scripting Interpreter: Python) and T1566 (Phishing) as potential initial access vectors, with T1078 (Valid Accounts) and T1203 (Exploitation for Client Execution) representing the subsequent exploitation phases that can be enabled by this vulnerability. Organizations should conduct immediate security assessments to verify that all HAX CMS installations have been updated and implement comprehensive logging and monitoring to detect potential exploitation attempts.