CVE-2025-49141
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-09

Last updated on: 2025-07-30

Assigner: GitHub, Inc.

Description
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the `gitImportSite` functionality obtains a URL string from a POST request and insufficiently validates user input. The `set_remote` function later passes this input into `proc_open`, yielding OS command injection. An authenticated attacker can craft a URL string that bypasses the validation checks employed by the `filter_var` and `strpos` functions in order to execute arbitrary OS commands on the backend server. The attacker can exfiltrate command output via an HTTP request. Version 11.0.3 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-09
Last Modified
2025-07-30
Generated
2026-05-07
AI Q&A
2025-06-10
EPSS Evaluated
2026-05-05
NVD
CVE-2025-49141
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
psu haxcms-nodejs to 11.0.3 (exc)
psu haxcms-php to 11.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in HAX CMS PHP occurs because the `gitImportSite` functionality takes a URL string from a POST request and does not properly validate it. The input is then passed to the `proc_open` function via `set_remote`, which leads to OS command injection. An authenticated attacker can craft a malicious URL that bypasses the existing validation checks and execute arbitrary operating system commands on the backend server. The attacker can also exfiltrate the output of these commands through an HTTP request. This issue was fixed in version 11.0.3.


How can this vulnerability impact me? :

This vulnerability can have severe impacts including unauthorized execution of arbitrary OS commands on the backend server, which can lead to full system compromise. An attacker could exfiltrate sensitive data, modify or delete data, disrupt service availability, or use the server as a pivot point to attack other systems. Because the attacker must be authenticated, the risk is limited to users with some level of access, but the impact remains high.


What immediate steps should I take to mitigate this vulnerability?

Upgrade HAX CMS PHP to version 11.0.3 or later, which contains a patch for this vulnerability. Additionally, restrict access to the affected functionality to trusted authenticated users only and monitor for unusual POST requests to the gitImportSite functionality.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart