CVE-2026-46392

An attacker can upload an HTML file with an uppercase extension (e.g., `.HTML`) to the HAX CMS. The `saveFile` endpoint validates extensions case-insensitively, allowing the upload. However, the `.htaccess` rule that forces a `Content-Disposition: attachment` header for HTML files is case-sensitive and does not match uppercase extensions. This causes the browser to render the HTML file inline, executing any embedded JavaScript within the HAX CMS origin context [ref_id=1]. This bypasses a previous mitigation for CVE-2026-22704 [ref_id=1].

The vulnerability lies in the `saveFile` endpoint's handling of file uploads and the `.htaccess` configuration. Specifically, the PHP validation in HAXCMSFile.php uses a case-insensitive regex for extension matching, while the `.htaccess` rule uses `SetEnvIf` which is case-sensitive by default [ref_id=1].

Version 26.0.0 normalizes uploaded file extensions to lowercase. This ensures that the `.htaccess` rule, which is case-sensitive, consistently matches all uploaded HTML files, regardless of their original casing. By forcing the `Content-Disposition: attachment` header for all valid HTML uploads, the vulnerability that allowed inline rendering and script execution is resolved [ref_id=1].

1. Log in to a HAXcms deployment. 2. Create or open a site and upload `poc.HTML` through the HAX editor's media/add button. The upload will succeed due to case-insensitive validation. 3. Visit the uploaded file at `https://TARGET/_sites/SITENAME/files/poc.HTML`. The page renders inline, and the embedded script executes, exfiltrating data to a webhook. 4. Send the link to another authenticated user. When they open it, the exploit chain fires using their session cookies, compromising their account and sites [ref_id=1].