HAX CMS PHP allows Insecure File Upload to Lead to Remote Code Execution
Description
HAX CMS PHP's file upload uses a non-exhaustive denylist, allowing authenticated attackers to upload executable files like .phar and achieve remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HAX CMS PHP's file upload uses a non-exhaustive denylist, allowing authenticated attackers to upload executable files like .phar and achieve remote code execution.
Vulnerability
The save function in HAXCMSFile.php (version prior to 10.0.3) in HAX CMS PHP uses a denylist to block file uploads with extensions .php, .sh, .js, and .css. This denylist is non-exhaustive and the logic fails open, allowing files with other executable extensions such as .phar to be uploaded. Affected endpoints include setUserPhoto() and saveFile() in Operations.php [1].
Exploitation
An authenticated attacker can upload a PHP web shell with a valid extension not in the denylist (e.g., .phar) via the image insertion feature in the editor. The attacker can intercept the request with a proxy (e.g., BurpSuite) to obtain the full URL of the uploaded file. Browsing to that URL allows execution of arbitrary commands as the www-data user [1].
Impact
Successful exploitation grants remote code execution as www-data, which has write access to all HAX sites on the server. This allows the attacker to modify, deface, or delete any other HAX website, compromising the entire server's data integrity and availability [1].
Mitigation
The vulnerability is fixed in HAX CMS version 10.0.3, released on April 8, 2025. Users should upgrade to this version immediately. No workaround is available other than applying the patch [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <10.0.3
- haxtheweb/issuesv5Range: >= 9.0.0, < 10.0.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The file upload function uses a non-exhaustive denylist for file extensions, allowing malicious files to be uploaded."
Attack vector
An authenticated attacker can exploit this vulnerability by uploading a file with an extension not blocked by the denylist, such as '.phar' [ref_id=1]. The application's 'save' function in 'HAXCMSFile.php' fails to adequately validate file types, leading to a 'fail open' scenario [ref_id=1]. This allows for the upload of executable files that can be interpreted by the PHP engine. The uploaded malicious file can then be accessed via its URL, enabling remote code execution on the server [ref_id=1].
Affected code
The vulnerability resides in the 'save' function within 'HAXCMSFile.php' [ref_id=1]. Multiple file upload functionalities, including 'setUserPhoto' in 'Operations.php' and 'saveFile' in 'Operations.php', call this 'save' function [ref_id=1]. The affected endpoints include '<domain>/<user>/system/api/setUserPhoto' and '<domain>/<user>/system/api/saveFile' [ref_id=1].
What the fix does
The vulnerability is fixed in version 10.0.3. The advisory does not provide specific details on the code changes made in the patch, but it rectifies the insecure file upload logic that allowed for the bypass of the denylist [ref_id=1]. The fix ensures that only safe file types are permitted, preventing the execution of malicious code.
Preconditions
- authThe attacker must be authenticated to the HAX CMS PHP application.
Reproduction
1. Enter the editor for a HAX site and insert an image block. 2. Upload a PHP web shell with a valid extension that doesn’t contain the string ’.php’, such as ’.phar’. 3. View the web request using a proxy to observe the full URL of the uploaded file. 4. Browse to the uploaded web shell and provide a command to execute.
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/haxtheweb/issues/security/advisories/GHSA-vj5q-3jv2-cg5pmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.