CVE-2026-46399
Description
HAX CMS PHP before v26.0.0 allows authenticated file overwrite via Git filter commands, leading to code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HAX CMS PHP before v26.0.0 allows authenticated file overwrite via Git filter commands, leading to code execution.
Vulnerability
The PHP version of HAX CMS prior to version 26.0.0 contains an authenticated file overwrite vulnerability. The saveOutline function incorrectly handles client-defined location paths and contents, allowing an attacker to overwrite critical files within the site's relative root, including .git/config [1].
Exploitation
An authenticated attacker needs to intercept and modify HTTP requests. The attacker must first trigger a commit via the saveOutline function to establish a Git filter. They can then send a subsequent saveOutline request, setting the location to .git/config and providing malicious content that defines a Git filter. This filter will execute arbitrary commands when a new commit is made, which is triggered by the saveOutline function itself [1].
Impact
Successful exploitation allows an attacker to achieve arbitrary code execution on the HAX CMS server with the privileges of the web server process. This is achieved by overwriting the .git/config file to include a malicious Git filter that executes commands during the commit process initiated by the saveOutline function [1].
Mitigation
HAX CMS version 26.0.0 addresses this vulnerability. Users are advised to upgrade to version 26.0.0 or later. No workarounds are described in the available references [1].
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <26.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The saveOutline function allows overwriting arbitrary files within the site directory, including sensitive configuration files."
Attack vector
An authenticated attacker can exploit this vulnerability by sending a crafted POST request to the saveOutline API endpoint. The attacker sets the `location` parameter to `.git/config` and provides malicious content that includes a Git filter command. This command is executed when HAX CMS triggers a Git commit as part of the saveOutline process, leading to remote code execution on the server [ref_id=1].
Affected code
The vulnerability resides in the `saveOutline` function, located in `Operations.php` at line 501. This function accepts client-defined `location` and `contents` which are then used to write files within the site directory, including the `.git/config` file, which is critical for Git filter execution [ref_id=1].
What the fix does
Version 26.0.0 of HAX CMS addresses this vulnerability by implementing stricter validation on the file paths provided to the saveOutline function. This prevents attackers from overwriting critical files like `.git/config` and thus disables the ability to inject malicious Git filter commands, thereby mitigating the risk of remote code execution [ref_id=1].
Preconditions
- authThe attacker must be authenticated to the HAX CMS instance.
- configThe HAX CMS instance must have a `.git` directory within its site root, which is typically present when Git integration is enabled.
Reproduction
1. Authenticate to a HAX CMS instance and create a new site. 2. Intercept traffic using a web proxy (e.g., Burp Suite). 3. Record the `site_token` from the response of a `GET /system/api/connectionSettings` request. 4. Create a new page and note its ID. 5. Send a `saveOutline` request with `location` set to `pages/<page-id>/index.html` and `contents` set to `* filter=pwn`. 6. Send a second `saveOutline` request, changing `location` to `.git/config` and `contents` to a malicious Git configuration including a filter command. 7. Trigger `saveOutline` again to execute the command [ref_id=1].
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
1- HAX CMS: 15 Vulnerabilities Disclosed Together on June 5, 2026Vypr Intelligence · Jun 5, 2026