CVE-2025-49141
published 2025-06-09CVE-2025-49141: HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the `gitImportSite` functionality obtains a URL string…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.50%
71.0th percentile
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the `gitImportSite` functionality obtains a URL string from a POST request and insufficiently validates user input. The `set_remote` function later passes this input into `proc_open`, yielding OS command injection. An authenticated attacker can craft a URL string that bypasses the validation checks employed by the `filter_var` and `strpos` functions in order to execute arbitrary OS commands on the backend server. The attacker can exfiltrate command output via an HTTP request. Version 11.0.3 contains a patch for the issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| haxtheweb | haxcms-nodejs | >= 0 < 11.0.3 | 11.0.3 |
| haxtheweb | issues | < 11.0.3 | 11.0.3 |
| psu | haxcms-nodejs | < 11.0.3 | 11.0.3 |
| psu | haxcms-php | < 11.0.0 | 11.0.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
HaxCMS-PHP Command Injection Vulnerability
osv·2025-06-09
CVE-2025-49141 [HIGH] HaxCMS-PHP Command Injection Vulnerability
HaxCMS-PHP Command Injection Vulnerability
### Summary
The 'gitImportSite' functionality obtains a URL string from a POST request and insufficiently validates user input. The ’set_remote’ function later passes this input into ’proc_open’, yielding OS command injection.
### Details
The vulnerability exists in the logic of the ’gitImportSite’ function, located in ’Operations.php’. The current implementation only relies on the ’filter_var’ and 'strpos' functions to validate the URL, which is not sufficient to ensure absence of all Bash special characters used for command injection.
#### Affected Resources
• Operations.php:2103 gitImportSite()
• \/\/system/api/gitImportSite
### PoC
To replicate this vulnerability, authenticate and send a POST request to the 'gitImportSite' endpoint with
GHSA
HaxCMS-PHP Command Injection Vulnerability
ghsa·2025-06-09
CVE-2025-49141 [HIGH] CWE-78 HaxCMS-PHP Command Injection Vulnerability
HaxCMS-PHP Command Injection Vulnerability
### Summary
The 'gitImportSite' functionality obtains a URL string from a POST request and insufficiently validates user input. The ’set_remote’ function later passes this input into ’proc_open’, yielding OS command injection.
### Details
The vulnerability exists in the logic of the ’gitImportSite’ function, located in ’Operations.php’. The current implementation only relies on the ’filter_var’ and 'strpos' functions to validate the URL, which is not sufficient to ensure absence of all Bash special characters used for command injection.
#### Affected Resources
• Operations.php:2103 gitImportSite()
• \/\/system/api/gitImportSite
### PoC
To replicate this vulnerability, authenticate and send a POST request to the 'gitImportSite' endpoint with
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-06-09
Published