CVE-2026-46399 | THREATINT

Description

HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this vulnerability to configure malicious Git filter commands and achieve code execution on the HAX CMS server. Version 26.0.0 patches the issue.

PUBLISHED Reserved 2026-05-13 | Published 2026-06-05 | Updated 2026-06-08 | Assigner GitHub_M

CRITICAL: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-15: External Control of System or Configuration Setting

CWE-73: External Control of File Name or Path

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

< 26.0.0

affected

< 26.0.0

affected

References

github.com/...issues/security/advisories/GHSA-q759-vxg8-vq5j exploit

github.com/...issues/security/advisories/GHSA-q759-vxg8-vq5j

cve.org (CVE-2026-46399)

nvd.nist.gov (CVE-2026-46399)

Download JSON