CVE-2025-32028
08.04.2025, 16:15
HAX CMS PHP allows you to manage your microsite universe with PHP backend. Multiple file upload functions within the HAX CMS PHP application call a save function in HAXCMSFile.php. This save function uses a denylist to block specific file types from being uploaded to the server. This list is non-exhaustive and only blocks .php, .sh, .js, and .css files. The existing logic causes the system to "fail open" rather than "fail closed." This vulnerability is fixed in 10.0.3.Enginsight
Vendor | Product | Version |
---|---|---|
haxtheweb | hax | 9.0.0 ≤ 𝑥 ≤ 10.0.3 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration