Skip to main content

HAX CMS EUVDEUVD-2026-34883

| CVE-2026-46392 HIGH
Improper Handling of Case Sensitivity (CWE-178)
2026-06-05 GitHub_M
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jun 05, 2026 - 20:02 EUVD
Analysis Generated
Jun 05, 2026 - 19:21 vuln.today

DescriptionGitHub Advisory

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the saveFile endpoint validates upload extensions case-insensitively and writes the filename to disk verbatim, but the .htaccess rule that forces Content-Disposition: attachment on HTML files is case-sensitive. An HTML file uploaded with an uppercase extension (.HTML, .Html, .HTM) is still served as text/html but the forced-download header never applies, so the browser renders it inline and executes any embedded JavaScript in the HAXcms origin. This bypasses the mitigation shipped for CVE-2026-22704. Version 26.0.0 contains a fix.

AnalysisAI

Stored cross-site scripting in HAX CMS PHP before 26.0.0 lets authenticated low-privilege users upload HTML files with uppercase extensions (.HTML, .Html, .HTM) that bypass the case-sensitive .htaccess Content-Disposition: attachment rule, causing browsers to render the file inline and execute embedded JavaScript in the HAXcms origin. The flaw defeats the mitigation shipped for CVE-2026-22704 and carries a CVSS 8.7 score driven by scope change (S:C) into the victim browser context. No public exploit identified at time of analysis, though the GitHub Security Advisory describes the bypass technique in enough detail to reproduce.

Technical ContextAI

HAX CMS is a microsite/content management platform with both PHP and Node.js backends; this issue affects the PHP backend (CPE haxtheweb:haxcms-php). The root cause maps to CWE-178 (Improper Handling of Case Sensitivity): the saveFile upload endpoint normalizes the extension check to be case-insensitive (blocking .html in any case), yet the Apache .htaccess rule that forces Content-Disposition: attachment for HTML responses matches only lowercase .html. Because Apache's content-type negotiation still maps .HTM/.HTML/.Html to text/html while the regex-based attachment rule misses them, the file is served inline and the embedded script runs in the HAXcms same-origin context - exactly the outcome the original CVE-2026-22704 mitigation was meant to prevent.

RemediationAI

Vendor-released patch: upgrade haxcms-php to version 26.0.0 or later, which corrects the extension/htaccess case mismatch (see https://github.com/haxtheweb/issues/security/advisories/GHSA-hg33-w4j2-95qp). If upgrading immediately is not possible, edit the site's .htaccess to match HTML extensions case-insensitively - for example replace any \.html$ rule with (?i)\.html?$ or add explicit FilesMatch directives covering .HTM, .HTML, .Htm, .Html - which forces the Content-Disposition: attachment header on all casings; the side effect is purely cosmetic (HTML downloads instead of rendering, which is the intended behavior for uploaded files). Additionally, tighten the saveFile endpoint to reject any extension whose lowercased form is in the blocklist before writing to disk, and restrict the upload role to trusted authors only as a defense-in-depth measure while patches are rolled out.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

EUVD-2026-34883 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy