Cyber Resilience

CVE-2026-46399

CriticalRCEUpdated

Published: 05 June 2026

Published
05 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0029 20.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-46399 is a critical-severity External Control of System or Configuration Setting (CWE-15) vulnerability. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this vulnerability to configure malicious Git filter commands and…

more

achieve code execution on the HAX CMS server. Version 26.0.0 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Authenticated file overwrite (CWE-78) enables malicious Git filter config for RCE on public-facing PHP app.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

The PHP
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-73 CWE-78

Rejects externally supplied file or resource identifiers that fail validity checks.

addresses: CWE-15

The policy and procedures establish internal controls and change management for system configuration settings, reducing the feasibility of external unauthorized modifications.

addresses: CWE-15

Baseline configuration under change control directly prevents unauthorized external modification of system or configuration settings.

addresses: CWE-15

Requires approval, documentation, and security impact review of all configuration changes, directly preventing unauthorized external control of system settings.

addresses: CWE-15

Impact analysis of configuration changes reduces the risk of deploying settings that permit unauthorized external control.

addresses: CWE-15

Restricting changes to system and configuration settings prevents external entities from controlling those settings without approval.

addresses: CWE-15

Establishing, implementing, approving deviations from, and monitoring configuration settings directly prevents external or unauthorized control of system settings.

addresses: CWE-15

The plan defines processes for identifying and managing configuration items, preventing external unauthorized control of system settings.

References