Executive Summary

CVE-2026-46392 is a stored cross-site scripting (XSS) vulnerability in HAXcms-php versions 25.0.0 and earlier. It occurs because the file upload validation in PHP checks file extensions case-insensitively, allowing files with uppercase extensions like .HTML, .Html, or .HTM to be uploaded.

However, the server's .htaccess rule that forces a Content-Disposition: attachment header on HTML files is case-sensitive and does not apply to uppercase extensions. As a result, these files are served as text/html without the forced-download header, allowing embedded JavaScript to execute in the HAXcms origin.

This bypasses a previous mitigation for CVE-2026-22704 and can lead to full account takeover if an attacker uploads a malicious HTML file with an uppercase extension.

The vulnerability is fixed in version 26.0.0 by normalizing file extensions to lowercase during upload to ensure consistent enforcement of the force-download rule.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to execute stored cross-site scripting (XSS) attacks leading to full account takeover by uploading malicious HTML files with uppercase extensions. Such unauthorized access and execution of malicious scripts can result in exposure or compromise of sensitive user data.

Consequently, this can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Failure to mitigate this vulnerability could lead to violations of these regulations due to potential data breaches or unauthorized data processing.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a full account takeover by allowing an attacker to upload a malicious HTML file with an uppercase extension that executes embedded JavaScript in the victim's browser within the HAXcms origin.

Because the malicious script runs in the context of the trusted site, it can steal sensitive information, hijack user sessions, or perform actions on behalf of the victim.

The vulnerability has a high severity with a CVSS score of 8.7, indicating significant impact on confidentiality and integrity.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking for the presence of uploaded HTML files with uppercase extensions (.HTML, .Html, .HTM) on the HAX CMS system, as these files bypass the force-download header and can execute embedded JavaScript.

You can inspect the upload directories for files with uppercase HTML extensions and verify how the server serves these files.

• Use commands like `find /path/to/haxcms/uploads -iregex '.*\.(html|htm)$'` to locate files with any case variation of HTML extensions.
• Use curl or wget to request such files and inspect the HTTP headers to see if the Content-Disposition: attachment header is missing for uppercase extensions, e.g., `curl -I https://your-haxcms-site/uploads/malicious.HTML`.
• Check server logs for requests to files with uppercase HTML extensions that are served as text/html without the forced download header.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation is to upgrade HAX CMS PHP to version 26.0.0 or later, which contains a fix that normalizes file extensions to lowercase during upload, ensuring consistent enforcement of the force-download rule.

Until the upgrade can be applied, you should manually check and remove or rename any uploaded HTML files with uppercase extensions to lowercase extensions to ensure the .htaccess rules apply correctly.

Additionally, review and update the .htaccess rules to be case-insensitive if possible, to enforce the Content-Disposition: attachment header on all HTML files regardless of extension case.

Restrict upload permissions and monitor uploads closely to prevent malicious files from being uploaded.

Useful 0 Not Useful 0