HIGH 8.7

CVE-2026-46392: HAX CMS PHP Case-Insensitive File Upload XSS Bypass

HAX CMS, a platform for managing microsite deployments with PHP or Node.js backends, contains a file upload bypass vulnerability in versions before 26.0.0. The vulnerability stems from a mismatch between how the application validates uploaded file extensions and how its web server security rules apply. An authenticated attacker can upload an HTML file with an uppercase extension (such as .HTML or .HTM) to bypass security controls that normally force downloaded HTML files rather than displayed them inline. Once bypassed, the HTML executes JavaScript within the HAX CMS origin, potentially allowing account compromise, session hijacking, or lateral movement.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.7 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Weaknesses (CWE)
CWE-178, CWE-434
Affected products
0 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions case-insensitively and writes the filename to disk verbatim, but the `.htaccess` rule that forces `Content-Disposition: attachment` on HTML files is case-sensitive. An HTML file uploaded with an uppercase extension (`.HTML`, `.Html`, `.HTM`) is still served as `text/html` but the forced-download header never applies, so the browser renders it inline and executes any embedded JavaScript in the HAXcms origin. This bypasses the mitigation shipped for CVE-2026-22704. Version 26.0.0 contains a fix.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability arises from case-sensitivity inconsistencies in HAX CMS PHP's upload handling. The `saveFile` endpoint performs case-insensitive extension validation and writes filenames to disk exactly as provided, but the `.htaccess` directive enforcing `Content-Disposition: attachment` on HTML files uses case-sensitive matching. An attacker uploads an HTML file with uppercase extension variants (.HTML, .Html, .HTM) which pass validation, yet the `.htaccess` rule—matching only lowercase `.html`—does not apply. The web server then serves the file as `text/html` content-type without the forced-download header, causing browsers to render it inline within the application context. This re-introduces the vulnerability remediated in CVE-2026-22704. Affected CWEs include CWE-178 (Improper Handling of Case Sensitivity) and CWE-434 (Unrestricted Upload of File with Dangerous Type).

Business impact

Authenticated users—including those with limited privileges—can execute arbitrary JavaScript in the HAX CMS application context without administrative intervention. This enables account takeover, unauthorized data access, malicious modifications to hosted microsites, and potential lateral movement to other systems sharing authentication or network trust boundaries. Organizations relying on HAX CMS for customer-facing microsite deployments face reputation damage, data breach liability, and service disruption. The vulnerability is particularly critical if HAX CMS instances manage sensitive customer data or support authenticated user interactions.

Affected systems

HAX CMS PHP versions prior to 26.0.0 are vulnerable. Node.js versions of HAX CMS are not affected by this particular flaw. Deployment risk depends on whether the instance accepts uploads from authenticated users and whether those users have legitimate reasons to upload files; fully open registration or shared hosting increases exposure.

Exploitability

Exploitation requires valid authentication credentials (PR:L in the CVSS vector), making this a post-authentication attack. However, the barrier is low if the application supports user registration or multi-user access. No special interaction or tools are needed beyond a standard file upload form and browser—attackers need only submit an HTML file with uppercase extension. The attack is reliable and does not depend on timing, race conditions, or complex application state. Browser-based JavaScript execution occurs automatically upon viewing the uploaded file.

Remediation

Upgrade HAX CMS PHP to version 26.0.0 or later. This version corrects the case-sensitivity mismatch by ensuring `.htaccess` rules or equivalent server-side controls match both uppercase and lowercase HTML file extension variants, or by rejecting uppercase variants at upload time. After patching, audit uploaded files in existing instances for suspicious HTML files with non-standard casing and remove them if found.

Patch guidance

Apply HAX CMS PHP version 26.0.0 immediately to all affected instances. Verify the upgrade by confirming the version in the application's admin interface or version file. Test that the patch correctly rejects or safely serves uppercase-extension HTML uploads by attempting to upload a test `.HTML` file and confirming it either fails or downloads rather than renders inline. No database migration or configuration change is required. If custom `.htaccess` rules exist, audit them to ensure they do not reintroduce case-sensitivity issues.

Detection guidance

Monitor HAX CMS logs for successful uploads of files with `.HTML`, `.Html`, `.HTM`, or other non-standard case extensions. Scan the upload directory for files with HTML-like extensions in mixed case; use `find -iname '*.html'` and manually review results for uppercase variants. Check web server access logs for requests to such files followed by requests to API endpoints or admin functions, suggesting post-upload exploitation. Intrusion detection rules should flag attempts to upload files with extensions matching HTML in any case variant to HAX CMS upload endpoints.

Why prioritize this

This vulnerability merits immediate remediation despite not appearing on the CISA KEV catalog. The CVSS 8.7 (HIGH) score reflects high confidentiality and integrity impact, low attack complexity, and cross-origin (Scope Changed) attack potential. Authentication requirement prevents mass worm-like spread but does not protect multi-user or publicly registered deployments. The flaw directly re-opens a previously patched vulnerability (CVE-2026-22704), indicating attacker familiarity with the threat model. Organizations managing customer-facing or internal collaborative microsites should prioritize this patch within 1–2 weeks of release.

Risk score, explained

CVSS 8.7 reflects: Network-accessible endpoint (AV:N), no special conditions needed to trigger (AC:L), authenticated attacker required (PR:L), user interaction needed to exploit (UI:R—user must view the uploaded HTML), attack scope changed (S:C—JavaScript executes in application origin affecting other users or resources), and high impact on confidentiality and integrity (C:H, I:H) with no availability impact (A:N). The score appropriately captures the combination of ease of exploitation post-authentication and the sensitive nature of XSS-style attacks in application origin.

Frequently asked questions

Does the patch for CVE-2026-22704 prevent this vulnerability?

No. The earlier patch for CVE-2026-22704 addressed the core file-execution threat but relied on case-sensitive `.htaccess` rules. This vulnerability exploits that assumption by using uppercase extension variants. Version 26.0.0 fixes the case-sensitivity mismatch itself.

Can we block this by disabling file uploads entirely?

Yes, but that may not be practical if users need upload functionality. Instead, apply version 26.0.0, normalize uploaded filenames to lowercase before writing to disk, or use application-level content-type enforcement independent of file extension (e.g., always serve HTML uploads with `Content-Disposition: attachment`).

Does this affect Node.js versions of HAX CMS?

No. This specific vulnerability is unique to the PHP version due to reliance on `.htaccess` rules. Node.js versions use different server configuration mechanisms and are not mentioned in the advisory as affected.

What if we cannot patch immediately?

Implement temporary controls: restrict upload functionality to administrators only, manually audit and remove uploaded HTML files with non-standard casing, enforce Content-Security-Policy headers, and monitor for suspicious uploads. However, these are not substitutes for patching and should be treated as interim measures only.

This analysis is based on publicly available CVE data and vendor advisories as of the publication date. Organizations should verify all patch version numbers and remediation steps directly with the HAX CMS vendor advisory before deployment. Security research and testing should be conducted only in authorized environments. This information is provided for defensive security purposes and does not constitute exploitation guidance. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).