CVE-2026-46400
HighCVSS 8.7Exploitation Probability (EPSS)
Low risk31th percentile - higher than 31% of all known CVEs
Summary
HAX CMS, used for managing microsites with PHP or NodeJs backends, has a vulnerability in the file upload functionality that in versions 11.0.6 to 25.0.0 only validates file extensions using a regex pattern without checking the actual file content or MIME type. This allows attackers to upload malicious files, potentially leading to remote code execution.
Risk Assessment
Organizations may be exposed to remote code execution attacks, which can lead to serious security breaches and data loss.
Recommendation
It is recommended to update HAX CMS to version 25.0.0 or newer to mitigate this vulnerability. Additionally, implementing further security measures for file uploads is advisable.
Original NVD description (English source)
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 11.0.6 and prior to version 25.0.0, the file upload functionality in HAXCMS PHP only validates file extensions using a regex pattern without checking the actual file content or MIME type. This allows attackers to upload malicious files (e.g., PHP webshells) disguised as legitimate image files, potentially leading to remote code execution. Version 25.0.0 contains a fix for the issue.

