HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46392Published Modified CNA GitHub_M

CVE-2026-46392: HAX CMS PHP Has a Stored XSS via Case-Sensitivity Mismatch in HTML Upload Validation

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions case-insensitively and writes the filename to disk verbatim, but the `.htaccess` rule that forces `Content-Disposition: attachment` on HTML files is case-sensitive. An HTML file uploaded with an uppercase extension (`.HTML`, `.Html`, `.HTM`) is still served as `text/html` but the forced-download header never applies, so the browser renders it inline and executes any embedded JavaScript in the HAXcms origin. This bypasses the mitigation shipped for CVE-2026-22704. Version 26.0.0 contains a fix.

Metrics

CVSS v3.1
8.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Stored cross-site scripting (XSS) affects HAX CMS PHP prior to version 26.0.0. The vulnerability is reachable over the network and requires a low-privilege authenticated account; it also requires a victim to visit or load the uploaded file in their browser. By uploading an HTML file with an uppercase extension (.HTML, .HTM, .Html), an attacker bypasses the case-sensitive .htaccess forced-download rule, causing the browser to render the file inline and execute any embedded JavaScript within the HAXcms origin, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix version is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-46392 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including GitHub Advisory, NVD, and CNA sources) within minutes of publication and matched against all customer images, including custom-built images that bundle haxcms-php. Pipeline scans and registry scans both surface affected versions of haxtheweb/haxcms-php below 26.0.0.

Available
Triage

HarborGuard scores this CVE at 8.7 HIGH using the published CVSS v3.1 vector and can weight that score against each customer environment's compliance policy to reflect context such as internet exposure or data-sensitivity tiers. Triage findings are routed to the appropriate team inbox within each customer org based on configured ownership rules.

Available
Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a fix release. For customers who opt into auto-remediation, a rebuild, regression-test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The saveFile endpoint is exposed over the network, so the attacker must be able to reach the HAX CMS PHP service via HTTP/HTTPS from a remote network location.

  • AuthenticationRequired

    The attacker must hold at least a low-privilege authenticated account on the HAX CMS instance to reach the saveFile upload endpoint.

  • Victim interactionRequired

    A victim (such as another authenticated user or admin) must open or load the uploaded HTML file in their browser for the embedded JavaScript to execute within the HAXcms origin.

  • Attack complexityDetail

    Attack complexity is low: no race conditions or special environmental factors are required; uploading a file with an uppercase HTML extension reliably bypasses the forced-download mitigation every time.

Blast Radius

  • Attacker-controlled JavaScript executes in the HAXcms origin, allowing the attacker to read session tokens and authentication cookies belonging to the victim.
  • Captured session material can be used to impersonate the victim and perform any action the victim's account is authorized to take, including modifying or deleting content.
  • The attack is stored (persisted on the server as an uploaded file), so any user who browses to the malicious URL after the upload is affected without further attacker interaction.

How HarborGuard Handles This

Available on HarborGuard: because no fix version has been published for CVE-2026-46392 as of the publication date, HarborGuard re-checks the upstream advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment haxtheweb/haxcms-php releases a remediated version. For customers who opt into auto-remediation, that rebuild will be followed by a regression-test run and a PR opened against affected workloads with no manual steps required. In the interim, compensating controls available in most environments include network-policy isolation to restrict access to the HAX CMS PHP upload endpoints to trusted internal users only, egress filtering to limit the blast radius of any JavaScript exfiltration, and file-type validation hardening at the reverse-proxy or WAF layer (normalizing extension case before allowing uploads). Customers whose compliance policy flags HIGH-severity issues for immediate review will find this CVE routed to the appropriate team inbox for prioritization.

See how HarborGuard automates this
Affected packages
  • haxtheweb / haxcms-php
    < 26.0.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
References