CVE-2026-46392

June 5, 2026, 8:17 p.m.

8.7
High

Description

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions case-insensitively and writes the filename to disk verbatim, but the `.htaccess` rule that forces `Content-Disposition: attachment` on HTML files is case-sensitive. An HTML file uploaded with an uppercase extension (`.HTML`, `.Html`, `.HTM`) is still served as `text/html` but the forced-download header never applies, so the browser renders it inline and executes any embedded JavaScript in the HAXcms origin. This bypasses the mitigation shipped for CVE-2026-22704. Version 26.0.0 contains a fix.

Product(s) Impacted

Vendor Product Versions
Hax
  • Hax Cms
  • *, 26.0.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-178
Improper Handling of Case Sensitivity
The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a hax hax_cms / / / / / / / /
a hax hax_cms 26.0.0 / / / / / / /

References

https://github.com/haxtheweb/issues/security/advisories/GHSA-hg33-w4j2-95qp
https://github.com/haxtheweb/issues/security/advisories/GHSA-hg33-w4j2-95qp

Tags

[email protected]
CWE-178
2026-06-05
CVE-2026-46392

CVSS Score

8.7 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

    View Vector String

Timeline

Published: June 5, 2026, 7:16 p.m.
Last Modified: June 5, 2026, 8:17 p.m.

Status : Deferred

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.