CVE-2026-46397
Authenticated Local File Inclusion in HAX CMS
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hax_cms | hax_cms | to 26.0.0 (exc) |
| haxtheweb | haxcms | to 26.0.0 (exc) |
| haxtheweb | haxcms | 26.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-46397 is an Authenticated Local File Inclusion (LFI) vulnerability in HAXCMS versions 25.0.0 and below. It exists in the saveOutline API endpoint, where a low-privileged authenticated user can manipulate the location parameter to perform path traversal attacks. By injecting sequences like '../../' into the location field of site.json, the attacker can read arbitrary files on the server.
The vulnerability allows access to sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server user (www-data). The original mitigation was insufficient because certain inputs could bypass it. This issue was patched in version 26.0.0.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with low-level authenticated access to read sensitive files on your server. This can lead to the exposure of critical information such as system user details (/etc/passwd), application secrets, and configuration files.
Such unauthorized access to sensitive data can compromise the confidentiality of your system and potentially aid further attacks or unauthorized access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unauthorized or suspicious manipulation of the location parameter in the saveOutline API endpoint of HAXCMS. Specifically, look for path traversal sequences such as '../../' or bypass attempts like '.....///.....///' in the location field of site.json.
To detect exploitation attempts, you can monitor web server logs for requests to the saveOutline endpoint containing suspicious path traversal patterns.
Example commands to search for such attempts in logs might include:
- grep -E "saveOutline.*(\.\./|\.\.\\)" /var/log/apache2/access.log
- grep -E "saveOutline.*(\.{5}///)" /var/log/apache2/access.log
Additionally, reviewing the contents of site.json files for unexpected or suspicious location values can help identify exploitation.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade HAXCMS to version 26.0.0 or later, where this vulnerability has been patched.
Until the upgrade can be applied, restrict access to the saveOutline API endpoint to trusted users only, and monitor for suspicious activity involving path traversal sequences in the location parameter.
Implement additional input validation and sanitization on the location field to prevent path traversal attacks, as the original mitigation using str_replace was insufficient.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated low-privileged users to read arbitrary files on the server, including sensitive system files, application secrets, and configuration files. This unauthorized access to sensitive data can lead to confidentiality breaches.
Such breaches of confidentiality may impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive personal and health information. Exposure of sensitive data due to this vulnerability could result in violations of these regulations.