CVE-2025-32028

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-32028

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32028.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-32028

Aliases

GHSA-vj5q-3jv2-cg5p

Published

2025-04-08T16:06:33.976Z

Modified

2026-03-14T12:43:41.276340Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

HAX CMS PHP allows Insecure File Upload to Lead to Remote Code Execution

Details

HAX CMS PHP allows you to manage your microsite universe with PHP backend. Multiple file upload functions within the HAX CMS PHP application call a ’save’ function in ’HAXCMSFile.php’. This save function uses a denylist to block specific file types from being uploaded to the server. This list is non-exhaustive and only blocks ’.php’, ’.sh’, ’.js’, and ’.css’ files. The existing logic causes the system to "fail open" rather than "fail closed." This vulnerability is fixed in 10.0.3.

Database specific

{
    "cwe_ids": [
        "CWE-434"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32028.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/haxtheweb/haxcms-php

Affected ranges

Type

GIT

Repo

https://github.com/haxtheweb/haxcms-php

Events

Introduced

45f913815e8c0c1c56ddb02d82198fab6d8acf3a

Fixed

18e0d713170b52e22564dbf58cf7f4d3adad3530

Database specific

{
    "versions": [
        {
            "introduced": "9.0.0"
        },
        {
            "fixed": "10.0.3"
        }
    ]
}

Affected versions

10.*

10.0.0

9.*

9.0.21

v9.*

v9.0.0

v9.0.1

v9.0.2

v9.0.3

v9.0.5

v9.0.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32028.json"