CVE-2026-46400 in haxcms-php
Summary
by MITRE • 06/05/2026
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 11.0.6 and prior to version 25.0.0, the file upload functionality in HAXCMS PHP only validates file extensions using a regex pattern without checking the actual file content or MIME type. This allows attackers to upload malicious files (e.g., PHP webshells) disguised as legitimate image files, potentially leading to remote code execution. Version 25.0.0 contains a fix for the issue.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/05/2026
HAX CMS represents a content management system designed to handle microsite environments with flexible backend support including both PHP and Node.js platforms. The vulnerability under examination affects the PHP backend implementation specifically within versions ranging from 11.0.6 through 24.9.9, creating a critical security gap that directly impacts the system's file upload capabilities. This flaw stems from insufficient validation mechanisms that rely solely on regular expression pattern matching for file extensions without implementing proper content verification or MIME type checking procedures. The vulnerability classification aligns with CWE-434 which addresses the insecure upload of executable files, representing a fundamental weakness in the application's input validation controls. Attackers can exploit this vulnerability by crafting malicious files with extensions that match legitimate image formats such as .jpg, .png, or .gif while embedding malicious PHP code within the file content. The absence of proper file content inspection allows these disguised payloads to bypass security checks and successfully upload to the server, creating a persistent threat vector for unauthorized code execution.
The operational impact of this vulnerability extends beyond simple file upload functionality to encompass complete system compromise potential. When attackers successfully upload malicious files, they can achieve remote code execution capabilities that enable them to execute arbitrary commands on the affected server, potentially leading to full system takeover. This vulnerability directly maps to ATT&CK technique T1505.003 which covers server-side include attacks and file upload vulnerabilities that allow adversaries to execute code on target systems. The attack surface becomes particularly dangerous when considering that the uploaded files can be accessed through the web application's normal operation paths, allowing attackers to maintain persistent access to the compromised system. The vulnerability affects the integrity and confidentiality of the entire microsite universe managed by HAX CMS, potentially exposing sensitive data and undermining the trust relationship between the system administrators and end users who rely on the platform for content management.
The remediation for this vulnerability in version 25.0.0 demonstrates proper security implementation through comprehensive file validation measures that address the root cause of the issue. The fix likely incorporates multiple validation layers including MIME type verification, file content analysis, and stricter extension validation that prevents the upload of executable code disguised as legitimate media files. This approach aligns with security best practices recommended by organizations such as OWASP and NIST for preventing file upload vulnerabilities in web applications. Organizations using affected versions of HAX CMS should immediately implement the update to version 25.0.0 or higher to mitigate the risk of exploitation. Additionally, implementing additional security controls such as restricting file upload directories, implementing proper file access controls, and conducting regular security assessments of uploaded content can provide defense-in-depth measures. The vulnerability also highlights the importance of proper input validation and the principle of least privilege in web application security, ensuring that file upload functionality operates within strict boundaries and that uploaded files undergo comprehensive verification before being made accessible to end users.