What is the CVSS score of CVE-2025-49141?

CVE-2025-49141 has a CVSS 3.1 base score of 8.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.9%.

Which versions of PHP are affected by CVE-2025-49141?

HAX CMS PHP versions prior to 11.0.3 contain a critical command injection vulnerability in the git import functionality that allows authenticated attackers to execute arbitrary commands on production…. A patch is available.

Is there a public PoC exploit available for CVE-2025-49141?

Yes, a public proof-of-concept exploit is available for CVE-2025-49141. Prioritise patching immediately. EPSS: 0.9%.

How to fix or mitigate CVE-2025-49141?

Within 24 hours: Inventory all HAX CMS PHP instances and identify versions prior to 11.0.3; disable or restrict access to the gitImportSite feature if patching cannot be completed immediately. Within 7 days: Apply vendor patch 11.0.3 to all affected systems in a phased approach starting with production environments. Within 30 days: Conduct post-patch security validation, review audit logs for signs of exploitation, and implement additional input validation controls for user-supplied URLs across the application.

PHP CVE-2025-49141

EUVD-2025-17578 HIGH

OS Command Injection (CWE-78)

2025-06-09 security-advisories@github.com

GHSA-g4cf-pp4x-hqgw

PHP Command Injection Haxcms Nodejs Haxcms Php

8.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.5 HIGH

AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 19:21 euvd

EUVD-2025-17578

Analysis Generated

Mar 14, 2026 - 19:21 vuln.today

Patch released

Mar 14, 2026 - 19:21 nvd

Patch available

PoC Detected

Jul 30, 2025 - 17:36 vuln.today

Public exploit code

CVE Published

Jun 09, 2025 - 21:15 nvd

HIGH 8.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

2 npm packages depend on @haxtheweb/haxcms-nodejs (1 direct, 1 indirect)

Ecosystem-wide dependent count for version 11.0.3.

DescriptionGitHub Advisory

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the gitImportSite functionality obtains a URL string from a POST request and insufficiently validates user input. The set_remote function later passes this input into proc_open, yielding OS command injection. An authenticated attacker can craft a URL string that bypasses the validation checks employed by the filter_var and strpos functions in order to execute arbitrary OS commands on the backend server. The attacker can exfiltrate command output via an HTTP request. Version 11.0.3 contains a patch for the issue.

AnalysisAI

HAX CMS PHP versions prior to 11.0.3 contain an OS command injection vulnerability in the gitImportSite functionality where insufficient input validation on user-supplied URL parameters allows authenticated attackers to bypass filter_var and strpos checks and execute arbitrary OS commands via the set_remote function's proc_open call. An authenticated attacker can leverage this to execute arbitrary commands and exfiltrate output, representing a critical post-authentication code execution risk with high real-world impact due to full OS command execution capability.

Technical ContextAI

The vulnerability exists in HAX CMS PHP's git import functionality, specifically in how the application handles URL input in POST requests. The application attempts to validate user input using PHP's filter_var function (typically FILTER_VALIDATE_URL) and strpos string matching, which are insufficient validators for preventing command injection. The root cause (CWE-78: Improper Neutralization of Special Elements used in an OS Command) occurs because user-controlled input is passed unsanitized to proc_open, a PHP function that directly executes OS commands via shell interpretation. The set_remote function receives the attacker-crafted URL and passes it into the process execution pipeline without proper escaping, allowing shell metacharacters to break out of intended command boundaries. This is a classic command injection pattern where validation logic (checking for valid URL format) is insufficient to prevent command syntax injection.

RemediationAI

Immediate: upgrade HAX CMS PHP to version 11.0.3 or later, which contains the patch for input validation in gitImportSite. For organizations unable to immediately patch, implement network-level mitigations: (1) restrict access to HAX CMS authentication endpoints to trusted networks/VPNs only; (2) implement Web Application Firewall (WAF) rules to detect command injection patterns in POST parameters related to git import (looking for shell metacharacters like backticks, $(), |, &, ;, >, < in URL parameters); (3) disable git import functionality if not actively used; (4) monitor proc_open execution logs for suspicious command patterns. Long-term: ensure HAX CMS deployment restricts admin/import functionality to principle-of-least-privilege users only.