CVE-2025-32028 CRITICAL

CVE-2025-32028: HAX CMS PHP allows Insecure File Upload to Lead to Remote Code Execution

Vendor Haxtheweb
Product issues
Weakness CWE-434 · Unrestricted file upload
Published April 8, 2025
Last update April 8, 2025

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

HAX CMS PHP allows you to manage your microsite universe with PHP backend. Multiple file upload functions within the HAX CMS PHP application call a ’save’ function in ’HAXCMSFile.php’. This save function uses a denylist to block specific file types from being uploaded to the server. This list is non-exhaustive and only blocks ’.php’, ’.sh’, ’.js’, and ’.css’ files. The existing logic causes the system to "fail open" rather than "fail closed." This vulnerability is fixed in 10.0.3.

Key dates

02Disclosure timeline

April 8, 2025 CVE published
April 8, 2025 Record updated