PatchSiren cyber security CVE debrief
CVE-2026-46394 haxtheweb CVE debrief
CVE-2026-46394 is an OS command injection vulnerability in the Git.php library of the HAXcms PHP backend. The vulnerability allows an attacker to execute OS commands with the privileges of the web server. This issue can lead to full remote code execution and complete system compromise when combined with another vulnerability that allows configuration manipulation. The vulnerability was patched in version 26.0.0.
- Vendor
- haxtheweb
- Product
- haxcms-php
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-08
Who should care
Users of HAX CMS, especially those using the PHP backend, should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to version 26.0.0 or later.
Technical summary
The HAX CMS Git.php library constructs shell command strings using unsanitized input and executes them via proc_open(). An attacker who can control parameters passed into Git operations can execute arbitrary OS commands. Out of 17 functions that invoke shell commands, only 1 function (commit()) correctly uses escapeshellarg().
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to version 26.0.0 or later
- Review and sanitize input parameters passed into Git operations
- Implement additional security measures to prevent configuration manipulation
Evidence notes
CVE-2026-46394 has a CVSS score of 7.7 and is considered HIGH severity. The vulnerability was published on 2026-06-05T19:16:33.447Z and modified on 2026-06-08T19:16:45.453Z.
Official resources
-
CVE-2026-46394 CVE record
CVE.org
-
CVE-2026-46394 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-46394 was published on 2026-06-05T19:16:33.447Z and modified on 2026-06-08T19:16:45.453Z.