Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the saveFile endpoint validates upload extensions case-insensitively and writes the filename to disk verbatim, but the .htaccess rule that forces Content-Disposition: attachment on HTML files is case-sensitive. An HTML file uploaded with an uppercase extension (.HTML, .Html, .HTM) is still served as text/html but the forced-download header never applies, so the browser renders it inline and executes any embedded JavaScript in the HAXcms origin. This bypasses the mitigation shipped for CVE-2026-22704. Version 26.0.0 contains a fix.
AnalysisAI
Stored cross-site scripting in HAX CMS PHP before 26.0.0 lets authenticated low-privilege users upload HTML files with uppercase extensions (.HTML, .Html, .HTM) that bypass the case-sensitive .htaccess Content-Disposition: attachment rule, causing browsers to render the file inline and execute embedded JavaScript in the HAXcms origin. The flaw defeats the mitigation shipped for CVE-2026-22704 and carries a CVSS 8.7 score driven by scope change (S:C) into the victim browser context. No public exploit identified at time of analysis, though the GitHub Security Advisory describes the bypass technique in enough detail to reproduce.
Technical ContextAI
HAX CMS is a microsite/content management platform with both PHP and Node.js backends; this issue affects the PHP backend (CPE haxtheweb:haxcms-php). The root cause maps to CWE-178 (Improper Handling of Case Sensitivity): the saveFile upload endpoint normalizes the extension check to be case-insensitive (blocking .html in any case), yet the Apache .htaccess rule that forces Content-Disposition: attachment for HTML responses matches only lowercase .html. Because Apache's content-type negotiation still maps .HTM/.HTML/.Html to text/html while the regex-based attachment rule misses them, the file is served inline and the embedded script runs in the HAXcms same-origin context - exactly the outcome the original CVE-2026-22704 mitigation was meant to prevent.
RemediationAI
Vendor-released patch: upgrade haxcms-php to version 26.0.0 or later, which corrects the extension/htaccess case mismatch (see https://github.com/haxtheweb/issues/security/advisories/GHSA-hg33-w4j2-95qp). If upgrading immediately is not possible, edit the site's .htaccess to match HTML extensions case-insensitively - for example replace any \.html$ rule with (?i)\.html?$ or add explicit FilesMatch directives covering .HTM, .HTML, .Htm, .Html - which forces the Content-Disposition: attachment header on all casings; the side effect is purely cosmetic (HTML downloads instead of rendering, which is the intended behavior for uploaded files). Additionally, tighten the saveFile endpoint to reject any extension whose lowercased form is in the blocklist before writing to disk, and restrict the upload role to trusted authors only as a defense-in-depth measure while patches are rolled out.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-178 – Improper Handling of Case Sensitivity
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34883