CVE-2026-46399
Deferred Deferred - Pending Action
Authenticated File Overwrite in HAX CMS PHP

Publication date: 2026-06-05

Last updated on: 2026-06-08

Assigner: GitHub, Inc.

Description
HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this vulnerability to configure malicious Git filter commands and achieve code execution on the HAX CMS server. Version 26.0.0 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-08
Generated
2026-06-27
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-25
NVD
CVE-2026-46399
EUVD
EUVD-2026-34880
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
haxtheweb hax_cms to 25.0.0 (exc)
haxtheweb hax_cms 26.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-15 One or more system settings or configuration elements can be externally controlled by a user.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-46399 is a critical authenticated remote code execution vulnerability in HAX CMS versions below 25.0.0 for both PHP and Node.js implementations.

The vulnerability exists in the `saveOutline` function, which allows authenticated users to overwrite files within the site directory, including the `.git/config` file.

An attacker can manipulate the `location` parameter to target `.git/config` and set `contents` to include malicious Git filter commands, enabling arbitrary shell command execution when a new commit is triggered.

This happens because the function treats the site directory as the relative root, bypassing path traversal restrictions.

Exploitation requires low privileges, no user interaction, and can be performed remotely over the network.

Impact Analysis

Successful exploitation grants an attacker full control over user sites hosted on the HAX CMS server.

  • Data theft
  • Data destruction
  • Use of the compromised server as a pivot point for further attacks

The vulnerability has a critical CVSS score of 9.4, indicating high impacts on confidentiality, integrity, and availability.

Detection Guidance

This vulnerability can be detected by checking for unauthorized or suspicious modifications to the .git/config file within the site directory of HAX CMS installations below version 26.0.0. Since the vulnerability involves overwriting files via the saveOutline function, monitoring file changes to .git/config is critical.

You can look for unusual Git filter commands configured in the .git/config file that could indicate exploitation attempts.

Suggested commands to detect potential exploitation include:

  • Use file integrity monitoring tools or commands like `git diff` or `cat .git/config` to inspect the .git/config file for unexpected filter commands.
  • Check web server logs or application logs for authenticated requests to the saveOutline function or API endpoints that handle file overwrites.
  • Use commands like `grep -r 'filter' /path/to/haxcms/.git/config` to search for suspicious Git filter entries.
Mitigation Strategies

The immediate mitigation step is to upgrade HAX CMS to version 26.0.0 or later, where this vulnerability has been patched.

Until the upgrade can be performed, restrict authenticated user permissions to prevent unauthorized access to the saveOutline function or any file overwrite capabilities.

Monitor and audit the .git/config file for any unauthorized changes and remove any malicious Git filter commands if found.

Consider disabling Git filter commands or restricting Git operations on the server if possible, to reduce the risk of code execution.

Compliance Impact

The vulnerability allows an attacker to execute arbitrary code on the HAX CMS server, potentially leading to unauthorized access, data theft, and destruction of data.

Such impacts on confidentiality, integrity, and availability of data can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and maintaining system security.

Successful exploitation could lead to breaches of personal or protected health information, thereby violating regulatory requirements and potentially causing legal and financial consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46399. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart