CVE Catalog

CVE-2026-46400

HighCVSS 8.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.39%

31th percentile - higher than 31% of all known CVEs

Summary

HAX CMS, used for managing microsites with PHP or NodeJs backends, has a vulnerability in the file upload functionality that in versions 11.0.6 to 25.0.0 only validates file extensions using a regex pattern without checking the actual file content or MIME type. This allows attackers to upload malicious files, potentially leading to remote code execution.

Risk Assessment

Organizations may be exposed to remote code execution attacks, which can lead to serious security breaches and data loss.

Recommendation

It is recommended to update HAX CMS to version 25.0.0 or newer to mitigate this vulnerability. Additionally, implementing further security measures for file uploads is advisable.

Original NVD description (English source)

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 11.0.6 and prior to version 25.0.0, the file upload functionality in HAXCMS PHP only validates file extensions using a regex pattern without checking the actual file content or MIME type. This allows attackers to upload malicious files (e.g., PHP webshells) disguised as legitimate image files, potentially leading to remote code execution. Version 25.0.0 contains a fix for the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS