HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46400Published Modified CNA GitHub_M

CVE-2026-46400: HAXCMS PHP has a File Upload Validation Bypass

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 11.0.6 and prior to version 25.0.0, the file upload functionality in HAXCMS PHP only validates file extensions using a regex pattern without checking the actual file content or MIME type. This allows attackers to upload malicious files (e.g., PHP webshells) disguised as legitimate image files, potentially leading to remote code execution. Version 25.0.0 contains a fix for the issue.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A file upload validation bypass affects HAXCMS PHP (versions 11.0.6 through before 25.0.0). The flaw is reachable over the network and requires only a low-privilege account; the upload endpoint checks file extensions with a regex but never inspects actual file contents or MIME types, so an attacker can rename a PHP webshell to look like an image and upload it. Successful exploitation gives the attacker remote code execution on the server. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-46400 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images derived from haxcms-php base layers.

Available
Triage

HarborGuard scores this finding at CVSS 8.7 (HIGH) and surfaces it accordingly within each customer environment; per-environment compliance policy weighting is applied automatically, and the finding is routed to the inbox or ticket queue configured for the owning team inside each customer org.

Available
Patch

Because no upstream fix version has been published yet, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream project ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable upload endpoint is exposed over the network, so the attacker must be able to reach the service via HTTP/HTTPS from a remote host.

  • AuthenticationRequired

    A low-privilege authenticated account is sufficient; no administrative rights are needed to reach the file upload functionality.

  • Victim interactionNot required

    The attacker submits the malicious upload directly; no action from another user or administrator is needed.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions or special environmental factors are required beyond reaching the upload endpoint with a crafted file.

Blast Radius

  • Attacker gains remote code execution by uploading a PHP webshell and triggering it through the web server, running arbitrary OS commands under the web server process account.
  • Attacker reads files accessible to the web server process, including application configuration files that may contain database credentials or API keys.
  • Attacker modifies or deletes application files and stored content on the server, corrupting microsite data or implanting persistent backdoors.
  • Attacker can crash or degrade the affected service by consuming server resources or corrupting runtime state through the uploaded payload.

How HarborGuard Handles This

Available on HarborGuard: any image built on an affected haxcms-php release (>=11.0.6, <25.0.0) is flagged at ingestion time and marked unresolved until an upstream fix is published. Because no patched release exists yet, HarborGuard monitors the advisory on every ingest cycle and will surface the fix and trigger the rebuild-and-PR flow the moment version 25.0.0 or a subsequent release becomes available upstream. For customers with auto-remediation enabled, that flow includes a rebuilt image, a regression test run, and a PR opened against affected workloads. In the interim, compensating controls worth considering include restricting the file upload endpoint behind a network policy that limits access to known IP ranges, adding a web application firewall rule that rejects uploads whose content bytes do not match expected image magic numbers, and auditing the upload directory to confirm server-side script execution is disabled for that path.

See how HarborGuard automates this
Affected packages
  • haxtheweb / haxcms-php
    >= 11.0.6, < 25.0.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References