PatchSiren cyber security CVE debrief

CVE-2026-46400 haxtheweb CVE debrief

CVE-2026-46400 is a high-severity vulnerability in HAX CMS, a microsite universe management system. The vulnerability exists in the file upload functionality of HAXCMS PHP, starting from version 11.0.6 and prior to version 25.0.0. The file upload functionality only validates file extensions using a regex pattern without checking the actual file content or MIME type. This allows attackers to upload malicious files, such as PHP webshells, disguised as legitimate image files, potentially leading to remote code execution. The CVSS score for this vulnerability is 8.7, indicating a high severity. The vulnerability was published on [cvePublishedAt] and modified on [cveModifiedAt].

Vendor: haxtheweb
Product: haxcms-php
CVSS: HIGH 8.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-05
Original CVE updated: 2026-06-08
Advisory published: 2026-06-05
Advisory updated: 2026-06-08

Who should care

Users of HAX CMS, particularly those using versions between 11.0.6 and 25.0.0, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The file upload functionality in HAXCMS PHP only validates file extensions using a regex pattern without checking the actual file content or MIME type. This allows attackers to upload malicious files (e.g., PHP webshells) disguised as legitimate image files, potentially leading to remote code execution.

Defensive priority

High

Recommended defensive actions

Upgrade to version 25.0.0 or later
Implement additional validation and sanitization of file uploads
Monitor for suspicious file uploads and system activity

Evidence notes

The vulnerability is described in the CVE record [resourceLinkAnnotations:cve-org] and the NVD detail page [resourceLinkAnnotations:nvd].

Official resources

CVE-2026-46400 was published on 2026-06-05T20:17:34.073Z and modified on 2026-06-08T17:16:51.057Z.