CVE-2026-46400 Overview
CVE-2026-46400 is an unrestricted file upload vulnerability in HAX CMS, a content management system that manages microsite collections using PHP or Node.js backends. The flaw affects the PHP backend file upload functionality starting in version 11.0.6 and prior to version 25.0.0. The implementation validates uploaded files using a regular expression against the filename extension without inspecting file content or Multipurpose Internet Mail Extensions (MIME) type. Attackers with low-privileged authenticated access can upload PHP webshells disguised as image files. Successful exploitation leads to remote code execution on the host serving the PHP application. The issue is tracked under [CWE-434] and is fixed in HAX CMS version 25.0.0.
Critical Impact
Authenticated attackers can upload PHP webshells through the image upload interface and execute arbitrary code on the underlying server.
Affected Products
- HAX CMS PHP backend versions 11.0.6 through 24.x
- Microsite instances served through the HAXCMS PHP upload handler
- Deployments exposing HAXCMS file upload endpoints to authenticated users
Discovery Timeline
- 2026-06-05 - CVE-2026-46400 published to the National Vulnerability Database (NVD)
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-46400
Vulnerability Analysis
The HAXCMS PHP backend exposes a file upload endpoint intended for media assets such as images. The upload handler enforces file type restrictions through a regex pattern matched against the supplied filename. The handler does not read the file header (magic bytes) and does not validate the MIME type reported by the server. An attacker who can authenticate to HAX CMS with low privileges can craft a file whose name satisfies the extension allowlist while the underlying content is PHP source code. When the resulting file is written to a directory that the web server interprets as PHP, requests to the uploaded artifact execute attacker-controlled code in the application context. This pattern is categorized as Unrestricted Upload of File with Dangerous Type [CWE-434] and is a known precursor to remote code execution.
Root Cause
The root cause is reliance on filename pattern matching as the sole validation mechanism. Regex-based extension checks can be bypassed using double extensions such as shell.php.jpg, alternative PHP-handled extensions such as .phtml or .php5, and naming tricks that the web server still routes to the PHP interpreter. The handler never opens the file to confirm format integrity, so files containing PHP tags pass validation as long as the filename matches the expected pattern.
Attack Vector
Exploitation requires network access to the HAX CMS PHP upload endpoint and a low-privileged authenticated session. The attacker submits a multipart upload request with a filename crafted to satisfy the extension regex while the body contains PHP code. Once stored, the attacker issues an HTTP request to the uploaded file's URL to invoke the PHP interpreter and obtain command execution. No user interaction is required after the upload. Refer to the GitHub Security Advisory GHSA-ffxv-9qv2-v2v8 for vendor details.
Detection Methods for CVE-2026-46400
Indicators of Compromise
- Files with PHP-executable extensions (.php, .phtml, .php5, .phar) present in HAX CMS upload directories that should contain only media assets.
- Web access logs showing GET or POST requests to uploaded files inside files/ or site-specific media directories that return non-image content types.
- Outbound network connections originating from the PHP-FPM or Apache worker process to unexpected hosts following an upload event.
- New cron entries, scheduled tasks, or modified .htaccess files within the HAXCMS document root.
Detection Strategies
- Audit upload directories for files whose magic bytes do not match their extensions using tools such as file or exiftool.
- Inspect HTTP request bodies for PHP open tags (<?php, <?=) submitted to HAXCMS upload routes via a web application firewall (WAF) or reverse proxy.
- Correlate authenticated upload events with subsequent direct requests to the stored filename to identify webshell access patterns.
Monitoring Recommendations
- Forward HAX CMS application logs and web server access logs to a centralized log platform and alert on script execution within media directories.
- Monitor process creation by the web server user for shells (sh, bash), network utilities (curl, wget, nc), and PHP child processes spawning system binaries.
- Track file integrity changes within the HAXCMS site root, particularly the creation of .php files outside the application source tree.
How to Mitigate CVE-2026-46400
Immediate Actions Required
- Upgrade HAX CMS to version 25.0.0 or later, which contains the official fix for the file upload validation flaw.
- Restrict access to HAX CMS administrative and content editor accounts and rotate credentials for any account that could reach the upload endpoint.
- Review upload directories for unauthorized PHP files and remove any artifacts that do not match expected media formats.
Patch Information
The maintainers addressed CVE-2026-46400 in HAX CMS version 25.0.0. Operators running affected versions between 11.0.6 and 24.x should upgrade directly to 25.0.0 or newer. Patch and release details are documented in the HAX CMS GitHub Security Advisory GHSA-ffxv-9qv2-v2v8.
Workarounds
- Configure the web server to deny PHP execution within HAXCMS upload directories using rules such as Apache <FilesMatch> blocks or nginx location directives that disable the PHP handler.
- Place a WAF rule in front of HAX CMS that inspects upload payloads for PHP tags and rejects requests containing executable content.
- Limit upload permissions to trusted administrators until the upgrade to version 25.0.0 is completed.
# nginx example: disable PHP execution inside HAXCMS upload directory
location ~* ^/files/.*\.(php|phtml|php5|phar)$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
