CVE-2026-46394
Description
HAX CMS PHP backend's Git.php library has an OS command injection flaw, allowing arbitrary command execution as the web server user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HAX CMS PHP backend's Git.php library has an OS command injection flaw, allowing arbitrary command execution as the web server user.
Vulnerability
An OS command injection vulnerability exists in the Git.php library of the HAXcms PHP backend, affecting versions prior to 26.0.0. The run() method constructs shell command strings by concatenating unsanitized input directly into the command, which is then executed via proc_open(). Out of 17 functions invoking shell commands, only commit() correctly uses escapeshellarg(). [1]
Exploitation
An attacker needs to control parameters passed into Git operations, which can be influenced through other vulnerabilities like path traversal, file overwrite, or configuration poisoning. The attacker can then call a vulnerable function, such as create_branch(), with an injected payload like test; echo COMMAND_INJECTION > PWNED.txt (or test& echo COMMAND_INJECTION > PWNED.txt on Windows). This payload is executed by the application, confirming arbitrary OS command execution. [1]
Impact
Successful exploitation allows an attacker to execute arbitrary OS commands with the privileges of the web server process. When combined with another vulnerability that allows configuration manipulation, this issue can lead to full remote code execution and complete system compromise. [1]
Mitigation
Version 26.0.0 patches this issue. No other mitigation or workaround details are available in the provided references. [1]
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <26.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application constructs shell command strings using unsanitized input and executes them via proc_open()."
Attack vector
An attacker who can control parameters passed into Git operations can execute arbitrary OS commands with the privileges of the web server [ref_id=1]. The vulnerability originates from unsafe command construction in the Git.php library, specifically the run() method which concatenates input directly into a shell command string that is then executed via proc_open() [ref_id=1]. Because the command is passed as a single string, it is interpreted by the system shell, allowing any embedded shell metacharacters to be executed [ref_id=1]. This can be achieved by influencing configuration values, such as site.json, through other vulnerabilities like path traversal or file overwrite [ref_id=1].
Affected code
The vulnerability exists in the Git.php library of the HAXcms PHP backend. The run() method within this library is responsible for constructing and executing shell commands by concatenating input directly into a command string, which is then passed to proc_open() [ref_id=1]. This method is called with parameters that can originate from configuration values, such as site.json [ref_id=1].
What the fix does
Version 26.0.0 patches the issue by ensuring that input used in shell commands is properly sanitized. The advisory notes that out of 17 functions invoking shell commands, only the commit() function correctly used escapeshellarg() prior to the fix [ref_id=1]. The patch presumably addresses the unsafe command construction in the Git.php library, preventing the execution of arbitrary OS commands by properly escaping or validating user-supplied input before it is incorporated into shell commands.
Preconditions
- inputControl over parameters passed into Git operations.
- configAbility to influence configuration values (e.g., site.json) through other vulnerabilities like path traversal or file overwrite.
Reproduction
Create a temporary Git repository in a controlled environment and initialize it with an initial commit. Call a vulnerable function such as create_branch() with an injected payload, like: `test; echo COMMAND_INJECTION > PWNED.txt` (replace ; with & if replication environment is Windows). The application executes: `git branch test; echo COMMAND_INJECTION > PWNED.txt`, and PWNED.txt is created in the repository confirming arbitrary OS commands are executed through unsanitized input [ref_id=1].
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.