CVE-2026-46399
Authenticated File Overwrite in HAX CMS PHP
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| haxtheweb | hax_cms | to 25.0.0 (exc) |
| haxtheweb | hax_cms | 26.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
| CWE-15 | One or more system settings or configuration elements can be externally controlled by a user. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-46399 is a critical authenticated remote code execution vulnerability in HAX CMS versions below 25.0.0 for both PHP and Node.js implementations.
The vulnerability exists in the `saveOutline` function, which allows authenticated users to overwrite files within the site directory, including the `.git/config` file.
An attacker can manipulate the `location` parameter to target `.git/config` and set `contents` to include malicious Git filter commands, enabling arbitrary shell command execution when a new commit is triggered.
This happens because the function treats the site directory as the relative root, bypassing path traversal restrictions.
Exploitation requires low privileges, no user interaction, and can be performed remotely over the network.
How can this vulnerability impact me? :
Successful exploitation grants an attacker full control over user sites hosted on the HAX CMS server.
- Data theft
- Data destruction
- Use of the compromised server as a pivot point for further attacks
The vulnerability has a critical CVSS score of 9.4, indicating high impacts on confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unauthorized or suspicious modifications to the .git/config file within the site directory of HAX CMS installations below version 26.0.0. Since the vulnerability involves overwriting files via the saveOutline function, monitoring file changes to .git/config is critical.
You can look for unusual Git filter commands configured in the .git/config file that could indicate exploitation attempts.
Suggested commands to detect potential exploitation include:
- Use file integrity monitoring tools or commands like `git diff` or `cat .git/config` to inspect the .git/config file for unexpected filter commands.
- Check web server logs or application logs for authenticated requests to the saveOutline function or API endpoints that handle file overwrites.
- Use commands like `grep -r 'filter' /path/to/haxcms/.git/config` to search for suspicious Git filter entries.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade HAX CMS to version 26.0.0 or later, where this vulnerability has been patched.
Until the upgrade can be performed, restrict authenticated user permissions to prevent unauthorized access to the saveOutline function or any file overwrite capabilities.
Monitor and audit the .git/config file for any unauthorized changes and remove any malicious Git filter commands if found.
Consider disabling Git filter commands or restricting Git operations on the server if possible, to reduce the risk of code execution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to execute arbitrary code on the HAX CMS server, potentially leading to unauthorized access, data theft, and destruction of data.
Such impacts on confidentiality, integrity, and availability of data can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and maintaining system security.
Successful exploitation could lead to breaches of personal or protected health information, thereby violating regulatory requirements and potentially causing legal and financial consequences.