CVE-2026-46399
CRITICAL
9,4
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
Description
AI Translation Available
HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this vulnerability to configure malicious Git filter commands and achieve code execution on the HAX CMS server. Version 26.0.0 patches the issue.
15
External Control of System or Configuration Setting
IncompleteCommon Consequences
Security Scopes Affected:
Other
Potential Impacts:
Varies By Context
Applicable Platforms
Technologies:
Not Technology-Specific, ICS/OT
73
External Control of File Name or Path
DraftCommon Consequences
Security Scopes Affected:
Integrity
Confidentiality
Availability
Potential Impacts:
Read Files Or Directories
Modify Files Or Directories
Execute Unauthorized Code Or Commands
Dos: Crash, Exit, Or Restart
Dos: Resource Consumption (Other)
Applicable Platforms
Operating Systems:
Unix, Windows, macOS
78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
StableCommon Consequences
Security Scopes Affected:
Confidentiality
Integrity
Availability
Non-Repudiation
Potential Impacts:
Execute Unauthorized Code Or Commands
Dos: Crash, Exit, Or Restart
Read Files Or Directories
Modify Files Or Directories
Read Application Data
Modify Application Data
Hide Activities
Applicable Platforms
Technologies:
Not Technology-Specific, AI/ML, Web Server
https://github.com/haxtheweb/issues/security/advisories/GHSA-q759-vxg8-vq5j