CVE-2026-46394 Overview
CVE-2026-46394 is an OS command injection vulnerability [CWE-78] in the Git.php library of the HAX CMS PHP backend. HAX CMS manages microsite ecosystems with PHP or Node.js backends. The flaw exists in versions prior to 26.0.0. The application constructs shell command strings from unsanitized input and executes them via proc_open(). An attacker who controls parameters passed into Git operations can execute arbitrary OS commands with the privileges of the web server process. Of 17 functions invoking shell commands, only the commit() function correctly applies escapeshellarg(). Version 26.0.0 patches the issue.
Critical Impact
Combined with configuration manipulation, this command injection enables full remote code execution and complete system compromise on hosts running HAX CMS.
Affected Products
- HAX CMS PHP backend versions prior to 26.0.0
- Git.php library within the HAXcms codebase
- HAX CMS deployments exposing Git operation endpoints to authenticated users
Discovery Timeline
- 2026-06-05 - CVE-2026-46394 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-46394
Vulnerability Analysis
The vulnerability resides in the Git.php library that wraps Git operations for the HAX CMS PHP backend. The library builds shell command strings by concatenating user-controllable input directly into command lines. Those strings are then dispatched to the operating system through proc_open(). Because the input is not escaped, shell metacharacters such as ;, |, &, and backticks are interpreted by the shell.
Authenticated attackers with the ability to influence Git parameters can append arbitrary commands to legitimate Git invocations. The injected commands execute under the identity of the web server user, typically www-data or a similar service account. This grants access to web roots, configuration files, and any credentials available to the web process.
The advisory notes that 17 functions invoke shell commands and only commit() applies escapeshellarg(). Every other Git wrapper function exposes a sink for command injection. When chained with a separate vulnerability that permits configuration manipulation, the attacker achieves reliable remote code execution.
Root Cause
The root cause is missing input neutralization on arguments forwarded to shell commands. The library treats parameters such as repository URLs, branch names, and remotes as trusted strings rather than as data requiring escaping. Calling proc_open() with a shell-interpreted command string compounds the issue.
Attack Vector
Exploitation requires network access to the HAX CMS interface and a low-privileged authenticated session capable of triggering Git operations. The attacker submits a crafted parameter containing shell metacharacters and an appended command. The Git.php wrapper concatenates the input into a shell string and proc_open() executes the attacker payload alongside the intended Git command.
No verified public proof-of-concept code is available. See the GitHub Security Advisory GHSA-6jf3-9fgh-cmfr for technical details.
Detection Methods for CVE-2026-46394
Indicators of Compromise
- Web server processes (php-fpm, apache2, nginx) spawning unexpected child processes such as sh, bash, curl, wget, nc, or python.
- Git command lines in process logs containing shell metacharacters like ;, |, &&, or backticks within repository URL, branch, or remote parameters.
- New or modified files under the HAX CMS web root that were not produced by an administrator action.
- Outbound network connections from the web server to unknown hosts shortly after Git operations.
Detection Strategies
- Monitor process lineage where the PHP runtime is the parent of shells or interpreters, which indicates command injection through library wrappers.
- Inspect HTTP request bodies and query parameters for shell metacharacters submitted to HAX CMS Git endpoints.
- Correlate Git activity timestamps with file system modifications and outbound network events to identify post-exploitation behavior.
Monitoring Recommendations
- Enable PHP error and audit logging and forward logs to a centralized SIEM for retention and correlation.
- Deploy endpoint telemetry on HAX CMS hosts to capture full command lines and parent-child process relationships.
- Baseline normal Git command invocations from the web server so that anomalous arguments stand out.
How to Mitigate CVE-2026-46394
Immediate Actions Required
- Upgrade HAX CMS to version 26.0.0 or later, which applies proper escaping to all Git wrapper functions.
- Restrict access to HAX CMS administrative and Git operation endpoints to trusted users and networks until the upgrade is complete.
- Review web server and application logs for evidence of shell metacharacters in Git-related requests.
Patch Information
The maintainers released version 26.0.0 of HAX CMS, which patches the command injection in Git.php. The fix introduces escapeshellarg() on parameters forwarded to proc_open(). Refer to the GitHub Security Advisory GHSA-6jf3-9fgh-cmfr for full remediation guidance.
Workarounds
- If upgrading immediately is not possible, disable or block routes that invoke Git operations in the HAX CMS PHP backend.
- Run the web server under a dedicated low-privilege account and apply mandatory access controls such as AppArmor or SELinux to limit the impact of command execution.
- Place the HAX CMS instance behind a web application firewall that blocks shell metacharacters in parameters submitted to Git endpoints.
# Configuration example: upgrade HAX CMS and verify version
composer require haxtheweb/haxcms:^26.0.0
php -r "echo defined('HAXCMS_VERSION') ? HAXCMS_VERSION : 'unknown';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
