Description
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the `gitImportSite` functionality obtains a URL string from a POST request and insufficiently validates user input. The `set_remote` function later passes this input into `proc_open`, yielding OS command injection. An authenticated attacker can craft a URL string that bypasses the validation checks employed by the `filter_var` and `strpos` functions in order to execute arbitrary OS commands on the backend server. The attacker can exfiltrate command output via an HTTP request. Version 11.0.3 contains a patch for the issue.
References (2)
Core 2
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_confirm
https://github.com/haxtheweb/issues/security/advisories/GHSA-g4cf-pp4x-hqgw
Scores
CVSS v3
8.5
EPSS
0.0403
EPSS Percentile
88.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (3)
haxtheweb/haxcms-nodejs
0 - 11.0.3npm
psu/haxcms-nodejs
< 11.0.3
psu/haxcms-php
< 11.0.0
Published
Jun 09, 2025
Tracked Since
Feb 18, 2026