CVE-2026-46399

Summary

HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this vulnerability to configure malicious Git filter commands and achieve code execution on the HAX CMS server. Version 26.0.0 patches the issue.

Affected Software

VendorProductVersion RangeStatus
haxthewebhaxcms-nodejs< 26.0.0affected
haxthewebhaxcms-php< 26.0.0affected

Weaknesses

  • CWE-15: CWE-15: External Control of System or Configuration Setting
  • CWE-73: CWE-73: External Control of File Name or Path
  • CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

Additional References

References