HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46394Published Modified CNA GitHub_M

CVE-2026-46394: HAX CMS Vulnerable to Command Injection using Git.php

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an OS command injection vulnerability exists in the Git.php library of the HAXcms PHP backend. The application constructs shell command strings using unsanitized input and executes them via proc_open(). An attacker who can control parameters passed into Git operations can execute arbitrary OS commands with the privileges of the web server. Out of 17 functions that invoke shell commands only 1 function (`commit()`) correctly uses `escapeshellarg()`. When combined with another vulnerability that allows configuration manipulation, this issue can lead to full remote code execution and complete system compromise. Version 26.0.0 patches the issue.

Metrics

CVSS v4.0
7.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An OS command injection vulnerability exists in the Git.php library of the HAX CMS PHP backend (haxcms-php versions before 26.0.0). The application builds shell command strings from unsanitized user-supplied input and executes them via proc_open(); an attacker reachable over the network with a low-privilege account can inject arbitrary OS commands. Successful exploitation gives the attacker full code execution and system control with the privileges of the web server process. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix version is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-46394 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built PHP application images that bundle haxcms-php. Any image carrying a vulnerable version of haxcms-php (below 26.0.0) is flagged automatically in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this finding at CVSS 7.7 HIGH and weights it against each environment's compliance policy to determine priority routing. Findings are dispatched to the appropriate team inbox within the customer org based on image ownership and policy rules, so the right engineers see the alert without manual sorting.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available at the moment a fix version lands. For customers with auto-remediation enabled, the rebuild, regression-test run, and a PR opened against affected workloads will be triggered automatically without requiring manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the HAX CMS PHP backend to supply malicious input to Git operations.

  • AuthenticationRequired

    A low-privilege authenticated account is sufficient; the attacker does not need admin credentials, but unauthenticated access alone is not enough to reach the vulnerable code paths.

  • Victim interactionNot required

    No victim action is needed; the attacker sends crafted requests directly to the server without any user having to click a link or open a file.

  • Attack complexityDetail

    Exploitation has elevated complexity because it depends on specific target conditions, including chaining with a separate configuration-manipulation vulnerability to achieve full remote code execution; the exploit is not universally reliable on every HAX CMS deployment.

Blast Radius

  • Executes arbitrary OS commands under the web server's process privileges, giving the attacker a foothold on the underlying host.
  • Reads files, credentials, and secrets accessible to the web server user, including database connection strings and API keys stored on disk.
  • Writes or overwrites files on the host, enabling the attacker to plant backdoors, modify application code, or corrupt site content.
  • In combination with the referenced configuration-manipulation vulnerability, achieves complete system compromise of the affected server.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the CVE-2026-46394 advisory across every environment that includes haxcms-php images. Because no upstream fix version exists yet, HarborGuard re-evaluates the advisory on each ingest cycle and will surface a patched-image rebuild automatically the moment version 26.0.0 or a later fix is published. In the interim, compensating controls worth considering include network-policy isolation to restrict inbound access to the HAX CMS PHP backend to trusted sources only, egress filtering on the web server container to limit the blast radius of a successful command injection, and feature-flag or route-level gating to disable Git-backed functionality until a patch is available. For customers with auto-remediation enabled, the transition from monitored-only to rebuild-plus-PR will happen without manual steps once the upstream fix lands.

See how HarborGuard automates this
Affected packages
  • haxtheweb / haxcms-php
    < 26.0.0
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References