CVE-2026-46392
HTML File Upload Bypass in HAX CMS PHP
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| haxtheweb | hax_cms | 25.0.0 |
| haxtheweb | hax_cms | to 26.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-178 | The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results. |
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-46392 is a stored cross-site scripting (XSS) vulnerability in HAXcms-php versions 25.0.0 and earlier. It occurs because the file upload validation in PHP checks file extensions case-insensitively, allowing files with uppercase extensions like .HTML, .Html, or .HTM to be uploaded.
However, the server's .htaccess rule that forces a Content-Disposition: attachment header on HTML files is case-sensitive and does not apply to uppercase extensions. As a result, these files are served as text/html without the forced-download header, allowing embedded JavaScript to execute in the HAXcms origin.
This bypasses a previous mitigation for CVE-2026-22704 and can lead to full account takeover if an attacker uploads a malicious HTML file with an uppercase extension.
The vulnerability is fixed in version 26.0.0 by normalizing file extensions to lowercase during upload to ensure consistent enforcement of the force-download rule.
How can this vulnerability impact me? :
This vulnerability can lead to a full account takeover by allowing an attacker to upload a malicious HTML file with an uppercase extension that executes embedded JavaScript in the victim's browser within the HAXcms origin.
Because the malicious script runs in the context of the trusted site, it can steal sensitive information, hijack user sessions, or perform actions on behalf of the victim.
The vulnerability has a high severity with a CVSS score of 8.7, indicating significant impact on confidentiality and integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for the presence of uploaded HTML files with uppercase extensions (.HTML, .Html, .HTM) on the HAX CMS system, as these files bypass the force-download header and can execute embedded JavaScript.
You can inspect the upload directories for files with uppercase HTML extensions and verify how the server serves these files.
- Use commands like `find /path/to/haxcms/uploads -iregex '.*\.(html|htm)$'` to locate files with any case variation of HTML extensions.
- Use curl or wget to request such files and inspect the HTTP headers to see if the Content-Disposition: attachment header is missing for uppercase extensions, e.g., `curl -I https://your-haxcms-site/uploads/malicious.HTML`.
- Check server logs for requests to files with uppercase HTML extensions that are served as text/html without the forced download header.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to upgrade HAX CMS PHP to version 26.0.0 or later, which contains a fix that normalizes file extensions to lowercase during upload, ensuring consistent enforcement of the force-download rule.
Until the upgrade can be applied, you should manually check and remove or rename any uploaded HTML files with uppercase extensions to lowercase extensions to ensure the .htaccess rules apply correctly.
Additionally, review and update the .htaccess rules to be case-insensitive if possible, to enforce the Content-Disposition: attachment header on all HTML files regardless of extension case.
Restrict upload permissions and monitor uploads closely to prevent malicious files from being uploaded.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to execute stored cross-site scripting (XSS) attacks leading to full account takeover by uploading malicious HTML files with uppercase extensions. Such unauthorized access and execution of malicious scripts can result in exposure or compromise of sensitive user data.
Consequently, this can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
Failure to mitigate this vulnerability could lead to violations of these regulations due to potential data breaches or unauthorized data processing.