CVE-2026-46392

HAX CMS (PHP, pre-26.0.0) has a case-sensitivity mismatch in HTML upload handling. The saveFile endpoint validates extensions case-insensitively but the .htaccess rule enforcing Content-Disposition: attachment for HTML is case-sensitive. As a result, an uploaded HTML file with an uppercase extens...

EUVD-2019-19280

Malware in sbrugna...

EUVD-2019-2502

Malware in sbrugna...

EUVD-2021-21927

Malware in sbrugna...

EUVD-2020-13479

Malware in sbrugna...

EUVD-2018-10598

Malware in sbrugna...

EUVD-2020-13480

Malware in sbrugna...

EUVD-2019-18426

Malware in sbrugna...

EUVD-2019-2248

Malware in sbrugna...

EUVD-2020-13482

Malware in sbrugna...

CVE-2025-49137

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in...

CVE-2025-49141

The CVE-2025-49141 entry concerns HAX CMS PHP (pre-11.0.3) with an OS command injection in the gitImportSite flow. The issue arises when gitImportSite retrieves a URL from a POST request and performs insufficient input validation; later, set_remote passes the input to proc_open, enabling an attac...

CVE-2025-49141 HaxCMS-PHP Command Injection Vulnerability

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the gitImportSite functionality obtains a URL string from a POST request and insufficiently validates user input. The setremote function later passes this input into procopen, yielding OS...

CVE-2025-49141 HaxCMS-PHP Command Injection Vulnerability

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the gitImportSite functionality obtains a URL string from a POST request and insufficiently validates user input. The setremote function later passes this input into procopen, yielding OS...

CVE-2023-44381

October is a Content Management System CMS and web platform to assist with development workflow. An authenticated backend user with the editor.cmspages, editor.cmslayouts, or editor.cmspartials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to...

CVE-2021-32649

October CMS is a self-hosted content management system CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with "create, modify and delete website pages" privileges in the backend is able to execute PHP code by running specially crafted Twig code in t...

CVE-2021-35284

SQL Injection vulnerability in function getuser in loginmanager.php in rizalafani cms-php v1...

CVE-2020-20698

A remote code execution RCE vulnerability in /1.com.php of S-CMS PHP v3.0 allows attackers to getshell via modification of a PHP file...

CVE-2020-20701

A stored cross site scripting XSS vulnerability in /app/config/of S-CMS PHP v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload...

CVE-2020-20699

A cross site scripting XSS vulnerability in S-CMS PHP v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the Copyright text box under Basic Settings...