CVE-2026-46400
HIGHHAX CMS PHP 11.0.6-24.x File Upload - Validation Bypass
Title source: manualDescription
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 11.0.6 and prior to version 25.0.0, the file upload functionality in HAXCMS PHP only validates file extensions using a regex pattern without checking the actual file content or MIME type. This allows attackers to upload malicious files (e.g., PHP webshells) disguised as legitimate image files, potentially leading to remote code execution. Version 25.0.0 contains a fix for the issue.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/haxtheweb/issues/security/advisories/GHSA-ffxv-9qv2-v2v8
Scores
CVSS v4
8.7
EPSS
0.0039
EPSS Percentile
30.2%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-434
Status
published
Products (1)
haxtheweb/haxcms-php
>= 11.0.6, < 25.0.0
Published
Jun 05, 2026
Tracked Since
Jun 06, 2026