CVE-2025-32028
Last modified
CVE-2025-32028 is a critical-severity vulnerability rated 9.9/10 on the CVSS scale. HAX CMS PHP allows you to manage your microsite universe with PHP backend. Multiple file upload functions within the HAX CMS PHP application call a ’save’ function in ’HAXCMSFile.php’. EPSS estimates a 1.58% chance of exploitation in the next 30 days.
Description
HAX CMS PHP allows you to manage your microsite universe with PHP backend. Multiple file upload functions within the HAX CMS PHP application call a ’save’ function in ’HAXCMSFile.php’. This save function uses a denylist to block specific file types from being uploaded to the server. This list is non-exhaustive and only blocks ’.php’, ’.sh’, ’.js’, and ’.css’ files. The existing logic causes the system to "fail open" rather than "fail closed." This vulnerability is fixed in 10.0.3.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Psu | Haxcms-Php | >= 9.0.0, < 10.0.3 |
References
- https://github.com/haxtheweb/issues/security/advisories/GHSA-vj5q-3jv2-cg5pExploit, Third Party Advisory
- https://github.com/haxtheweb/issues/security/advisories/GHSA-vj5q-3jv2-cg5pExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-32028?
How severe is CVE-2025-32028?
How do I fix CVE-2025-32028?
Are you affected by CVE-2025-32028?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST