CVE-2026-46397
Description
HAX CMS 26.0.0 and earlier has an Authenticated LFI vulnerability in saveOutline, allowing low-privileged users to read sensitive files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HAX CMS 26.0.0 and earlier has an Authenticated LFI vulnerability in saveOutline, allowing low-privileged users to read sensitive files.
Vulnerability
Prior to version 26.0.0, HAX CMS contains an Authenticated Local File Inclusion (LFI) vulnerability within the saveOutline endpoint. This vulnerability allows a low-privileged authenticated user to read arbitrary files on the server by manipulating the location field, which is written into site.json. The affected versions are all versions prior to 26.0.0 [1].
Exploitation
An attacker must first authenticate to the HAX CMS and obtain the JWT and CSRF tokens. Subsequently, they can issue a POST request to the /system/api/saveOutline endpoint, injecting path traversal sequences into the location parameter. This manipulation allows the attacker to bypass previous sanitization efforts and read arbitrary files accessible by the web server user [1].
Impact
Successful exploitation of this vulnerability allows an attacker to read any file on the filesystem that is accessible by the www-data user. This can include sensitive system files such as /etc/passwd, application secrets, or configuration files, leading to information disclosure [1].
Mitigation
HAX CMS version 26.0.0 addresses this vulnerability. Users are advised to upgrade to version 26.0.0 or later. No workarounds are mentioned in the available references, and the vulnerability is not listed as part of the Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <26.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The saveOutline endpoint improperly sanitizes file path inputs, allowing directory traversal."
Attack vector
An authenticated, low-privileged user can exploit this vulnerability by manipulating the `location` parameter in a POST request to the `/system/api/saveOutline` endpoint. This manipulation involves using path traversal sequences to craft a path to sensitive files. The manipulated path is written into `site.json`, which can then be read by the attacker. This allows for the exfiltration of arbitrary files accessible by the web server user [ref_id=1].
Affected code
The vulnerability exists in the `saveOutline` endpoint, specifically concerning the manipulation of the `location` field that is written into `site.json`. The advisory notes that a previous fix using `str_replace` on `./` and `../` in the `getPageContent` function was insufficient [ref_id=1].
What the fix does
The advisory suggests using the `realpath` PHP function to resolve the absolute path of the provided location. After resolving the path, it should be validated to ensure it resides within a permitted directory, for example, by using `strpos` to check if the resolved path starts with the expected root directory. This prevents directory traversal by ensuring that only files within the intended scope can be accessed [ref_id=1].
Preconditions
- authThe attacker must be authenticated to the HAXCMS instance.
- inputThe attacker needs to obtain a JWT and CSRF token to craft the malicious request.
Reproduction
1. Authenticate to the CMS and retrieve the JWT and CSRF token. 2. Issue a POST request to `/system/api/saveOutline` with the path traversal injection via the location parameter. 3. Curl the website root to see the file contents.
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
1- HAX CMS: 15 Vulnerabilities Disclosed Together on June 5, 2026Vypr Intelligence · Jun 5, 2026