PatchSiren cyber security CVE debrief

CVE-2026-46392 haxtheweb CVE debrief

CVE-2026-46392 is a HIGH severity vulnerability in HAX CMS PHP prior to version 26.0.0. The `saveFile` endpoint validates upload extensions case-insensitively and writes the filename to disk verbatim. However, the `.htaccess` rule that forces `Content-Disposition: attachment` on HTML files is case-sensitive. This allows an HTML file uploaded with an uppercase extension (`.HTML`, `.Html`, `.HTM`) to be served as `text/html` without the forced-download header, enabling the browser to render it inline and execute any embedded JavaScript in the HAXcms origin. This bypasses the mitigation shipped for [CVE-2026-22704]({resourceLinkAnnotations.cve-org}).

Vendor: haxtheweb
Product: haxcms-php
CVSS: HIGH 8.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-05
Original CVE updated: 2026-06-05
Advisory published: 2026-06-05
Advisory updated: 2026-06-05

Who should care

Users of HAX CMS PHP prior to version 26.0.0 should upgrade to version 26.0.0 or later to mitigate this vulnerability.

Technical summary

The `saveFile` endpoint in HAX CMS PHP prior to version 26.0.0 has a case-insensitive validation for upload extensions but writes filenames to disk verbatim. The `.htaccess` rule enforcing `Content-Disposition: attachment` for HTML files is case-sensitive. This discrepancy allows HTML files with uppercase extensions to bypass the forced-download header, enabling inline rendering and potential JavaScript execution.

Defensive priority

HIGH

Recommended defensive actions

Upgrade HAX CMS PHP to version 26.0.0 or later.
Review and adjust file upload and serving configurations to ensure proper handling of file extensions and content types.

Evidence notes

CVE-2026-46392 has a CVSS score of 8.7 and is considered HIGH severity. It was published on {cve.publishedAt} and modified on {cve.modifiedAt}.

Official resources

CVE-2026-46392 was published on {cve.publishedAt} and modified on {cve.modifiedAt}.