CVE-2026-46394
OS Command Injection in HAXcms PHP Backend
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| haxtheweb | haxcms | to 26.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-46394 is an OS command injection vulnerability found in the Git.php library of the HAXcms PHP backend. The vulnerability occurs because the application builds shell command strings using unsanitized input and executes them via the proc_open() function.
An attacker who can control parameters passed into Git operations can inject arbitrary OS commands that run with the privileges of the web server. Only one function, commit(), properly sanitizes input using escapeshellarg(), while others like the run() method directly concatenate input, allowing shell metacharacters to execute unintended commands.
When combined with other vulnerabilities that allow configuration manipulation (such as path traversal or file overwrite), this issue can lead to full remote code execution and complete system compromise.
How can this vulnerability impact me? :
This vulnerability can have a severe impact as it allows attackers to execute arbitrary operating system commands with the privileges of the web server.
The potential impacts include full remote code execution, complete system compromise, and a high risk to the confidentiality, integrity, and availability of the affected system.
The attack requires low privileges and no user interaction, making it easier for attackers to exploit.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unsanitized input being passed to shell commands in the Git.php library of the HAXcms PHP backend, specifically in functions other than commit(). Detection can focus on identifying suspicious or unexpected shell command executions originating from the web server process.
To detect exploitation attempts or presence of this vulnerability, you can monitor web server logs and system process executions for unusual commands or parameters containing shell metacharacters such as semicolons (;), ampersands (&), or backticks (`).
Suggested commands to help detect potential exploitation attempts include:
- Use process monitoring tools like `ps aux | grep php` to check for suspicious PHP processes executing shell commands.
- Search web server access logs for requests containing suspicious parameters with shell metacharacters: `grep -E ';&|&|`' /var/log/apache2/access.log` (adjust path as needed).
- Use auditd or similar Linux auditing tools to monitor calls to proc_open() or shell command executions by the web server user.
- Check for unexpected files or changes in the application directory that might indicate exploitation combined with configuration manipulation.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the HAXcms PHP backend to version 26.0.0 or later, where this vulnerability has been patched.
Until the upgrade can be performed, consider the following immediate actions:
- Restrict access to the vulnerable Git.php library and related endpoints to trusted users only.
- Implement web application firewall (WAF) rules to block requests containing shell metacharacters or suspicious input patterns targeting Git operations.
- Review and harden server permissions to limit the privileges of the web server user, reducing the impact of potential exploitation.
- Monitor logs closely for signs of exploitation attempts and respond promptly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to execute arbitrary OS commands with the privileges of the web server, potentially leading to full remote code execution and complete system compromise.
Such a compromise can result in unauthorized access, modification, or destruction of sensitive data, which negatively impacts confidentiality, integrity, and availability.
Consequently, organizations using affected versions of HAXcms may face challenges in maintaining compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.