Exploit for CVE-2026-46394

CVE-2026-46394 - HAXcms Git.php OS Command Injection CWE-78...

CVE-2026-46394

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an OS command injection vulnerability exists in the Git.php library of the HAXcms PHP backend. The application constructs shell command strings using unsanitized input and executes them via procopen. An...

CVE-2026-46394 HAX CMS Vulnerable to Command Injection using Git.php

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an OS command injection vulnerability exists in the Git.php library of the HAXcms PHP backend. The application constructs shell command strings using unsanitized input and executes them via procopen. An...

CVE-2026-46394

CVE-2026-46394 : HAX CMS PHP backend prior to v26.0.0 is vulnerable to OS command injection in the Git.php library. The application builds shell commands from unsanitized input and executes them via proc_open(); only one of 17 command-invoking functions uses escapeshellarg(), increasing risk. An ...

PT-2026-47030

Name of the Vulnerable Software and Affected Versions HAX CMS versions prior to 26.0.0 Description An OS command injection issue exists in the Git.php library of the PHP backend. The application executes shell command strings using the proc open function without properly sanitizing input. An...

PT-2025-48094

Name of the Vulnerable Software and Affected Versions AI Feeds plugin for WordPress versions through 1.0.11 Description The AI Feeds plugin for WordPress is susceptible to arbitrary file uploads because of a missing capability check in the actualizador git.php file. This allows unauthenticated...

PT-2025-48093

Name of the Vulnerable Software and Affected Versions CIBELES AI plugin for WordPress versions through 1.10.8 Description The CIBELES AI plugin for WordPress has a flaw that allows unauthorized file uploads. This is due to a missing check for appropriate permissions within the actualizador git.ph...