CVE-2026-46392 Overview
CVE-2026-46392 is a stored cross-site scripting (XSS) vulnerability in HAX CMS PHP affecting all versions prior to 26.0.0. The saveFile endpoint validates upload extensions case-insensitively but writes the filename to disk verbatim. The .htaccess rule that forces Content-Disposition: attachment on HTML files is case-sensitive, so files with uppercase extensions like .HTML, .Html, or .HTM bypass the download enforcement and render inline in the browser. This defeats the mitigation introduced for CVE-2026-22704 and enables JavaScript execution in the HAXcms origin. The flaw is tracked under [CWE-178: Improper Handling of Case Sensitivity].
Critical Impact
Authenticated attackers can upload HTML files with uppercase extensions to execute arbitrary JavaScript in the HAXcms origin, leading to session hijacking and account compromise.
Affected Products
- HAX CMS PHP versions prior to 26.0.0
- HAXcms microsite management backends running PHP
- Deployments relying on the .htaccess mitigation from CVE-2026-22704
Discovery Timeline
- 2026-06-05 - CVE-2026-46392 published to NVD
- 2026-06-05 - Last updated in NVD database
Technical Details for CVE-2026-46392
Vulnerability Analysis
The vulnerability arises from inconsistent case handling between two security controls in HAX CMS PHP. The saveFile endpoint validates extensions using case-insensitive matching, accepting both .html and .HTML as restricted. However, the upload routine preserves the original filename casing when writing to disk. The webserver-level mitigation depends on a .htaccess rule that matches HTML extensions in a case-sensitive manner. Files saved with mixed-case or uppercase extensions are still served with the text/html MIME type but never receive the Content-Disposition: attachment header that was intended to force a download instead of inline rendering.
Root Cause
The root cause is a mismatch between the application-layer validation logic and the webserver-layer enforcement. The PHP code normalizes extensions for the allow/deny check but does not normalize the filename before persisting it. The Apache .htaccess directive that enforces the download header uses a case-sensitive pattern, so .HTML and .Htm fall outside its scope. This classifies as [CWE-178] improper handling of case sensitivity.
Attack Vector
An authenticated user with upload permissions submits an HTML payload through the saveFile endpoint using an uppercase extension such as .HTML. The server stores the file verbatim and later serves it with a text/html content type. When another user, including an administrator, opens the URL, the browser renders the file inline and executes any embedded JavaScript under the HAXcms origin. The attacker can steal session cookies, perform actions on behalf of the victim, or pivot to further compromise. The CVSS vector indicates a scope change because the executed script operates in the trusted origin of other users.
No public proof-of-concept code is referenced in the advisory. See the GitHub Security Advisory for vendor-provided technical details.
Detection Methods for CVE-2026-46392
Indicators of Compromise
- Files with uppercase or mixed-case HTML extensions (.HTML, .Html, .HTM) in HAXcms upload directories
- Web server access logs showing GET requests to user-uploaded files with non-lowercase HTML extensions
- Outbound requests from user browsers to attacker-controlled domains shortly after viewing HAXcms content
- Unexpected session token exfiltration or administrative actions originating from HAXcms sessions
Detection Strategies
- Audit the HAXcms file storage tree for any file whose extension contains uppercase characters and matches HTML variants
- Inspect HTTP responses from HAXcms to confirm whether Content-Disposition: attachment is present for all HTML-family files
- Review recent saveFile POST requests in application logs for filenames containing uppercase HTML extensions
Monitoring Recommendations
- Enable continuous logging of upload endpoints and alert on filenames that match a case-insensitive HTML pattern but not a case-sensitive one
- Monitor browser-side error reports or Content Security Policy violations on the HAXcms origin
- Track authentication anomalies such as session reuse from unexpected geolocations following file access events
How to Mitigate CVE-2026-46392
Immediate Actions Required
- Upgrade HAX CMS PHP to version 26.0.0 or later, which contains the official fix
- Inventory existing uploads and quarantine any HTML-family files with non-lowercase extensions
- Rotate session secrets and credentials for accounts that may have viewed malicious uploads
Patch Information
The maintainers released version 26.0.0 of HAX CMS PHP, which addresses CVE-2026-46392 by normalizing filename extensions before storage and tightening the .htaccess enforcement. Refer to the GitHub Security Advisory GHSA-hg33-w4j2-95qp for upgrade instructions and commit references.
Workarounds
- Modify the .htaccess rule to use a case-insensitive match for HTML extensions, for example by applying (?i) or listing all case variants
- Add a server-side filter that lowercases the file extension before writing the uploaded file to disk
- Restrict the upload endpoint to trusted users until the patch is applied and verify the MIME type and Content-Disposition header in test responses
# Apache .htaccess example forcing attachment disposition for HTML files regardless of case
<FilesMatch "(?i)\.(html?|htm)$">
Header set Content-Disposition "attachment"
</FilesMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
