How is CVE-2026-46399 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the HAX CMS service via a standard network connection. Authentication (required): A low-privilege authenticated account is sufficient; no admin or elevated role is needed to trigger the file overwrite. Victim interaction (not-required): No action by any other user or administrator is required for the attacker to complete the exploit. Attack complexity (info): The exploit is reliable and condition-free, with no race conditions or special environmental factors required.

What is the impact of CVE-2026-46399?

Attacker executes arbitrary code directly on the HAX CMS server by injecting malicious Git filter commands. All data accessible to the server process is readable, including site content, configuration files, and any stored credentials or tokens. The attacker can modify or delete any files the server process can write to, corrupting site content or application logic. Downstream systems and services reachable from the compromised server are exposed to lateral movement originating from the HAX CMS host.

Back to search

CRITICALCVE-2026-46399Published 2026-06-05Modified 2026-06-05CNA GitHub_M

CVE-2026-46399: Authenticated Remote Code Execution via File Overwrite

HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this vulnerability to configure malicious Git filter commands and achieve code execution on the HAX CMS server. Version 26.0.0 patches the issue.

CVSS v4.0: 9.4
Severity: CRITICAL
Fixed in: —
Affected Products: 2

HarborGuard Analysis

Synopsis

Authenticated remote code execution via file overwrite affects HAX CMS (both the PHP and Node.js backends) in versions prior to 26.0.0. An attacker with any valid account can reach the vulnerability over the network and configure malicious Git filter commands, which the server then executes. Successful exploitation gives the attacker full code execution on the HAX CMS server. No fix version has been published yet; HarborGuard is tracking the upstream advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-46399 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle HAX CMS. Any image running an affected version of haxcms-php or haxcms-nodejs is flagged automatically.

Available

Triage

Triage capability is available with a CVSS v4.0 score of 9.4 (Critical), and per-environment compliance policy weighting can elevate or suppress routing priority based on each customer org's risk profile. Findings are routed to the team inbox configured in each environment so the right people see the alert without manual sorting.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available at version 26.0.0 the moment the upstream maintainers ship it. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will trigger automatically once a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the HAX CMS service via a standard network connection.
AuthenticationRequired
A low-privilege authenticated account is sufficient; no admin or elevated role is needed to trigger the file overwrite.
Victim interactionNot required
No action by any other user or administrator is required for the attacker to complete the exploit.
Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or special environmental factors required.

Blast Radius

Attacker executes arbitrary code directly on the HAX CMS server by injecting malicious Git filter commands.
All data accessible to the server process is readable, including site content, configuration files, and any stored credentials or tokens.
The attacker can modify or delete any files the server process can write to, corrupting site content or application logic.
Downstream systems and services reachable from the compromised server are exposed to lateral movement originating from the HAX CMS host.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46399 is active now, flagging any image that bundles haxcms-php or haxcms-nodejs below version 26.0.0. Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available at version 26.0.0 automatically when the maintainers publish it. For customers with auto-remediation enabled, that rebuild will trigger a regression-test run and open a PR against affected workloads without manual intervention. While the fix is pending, compensating controls worth considering include isolating HAX CMS containers behind a network policy that restricts inbound access to trusted sources only, applying egress filtering to limit outbound connections from the container, and disabling or tightly scoping Git integration features at the application level if the deployment does not require them.

See how HarborGuard automates this

Affected packages

haxtheweb / haxcms-nodejs
< 26.0.0
haxtheweb / haxcms-php
< 26.0.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

https://github.com/haxtheweb/issues/security/advisories/GHSA-q759-vxg8-vq5j

Metrics

Get notified