CVE-2025-32028

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-32028
HAX CMS PHP allows you to manage your microsite universe with PHP backend. Multiple file upload functions within the HAX CMS PHP application call a ’save’ function in ’HAXCMSFile.php’. This save function uses a denylist to block specific file types from being uploaded to the server. This list is non-exhaustive and only blocks ’.php’, ’.sh’, ’.js’, and ’.css’ files. The existing logic causes the system to "fail open" rather than "fail closed." This vulnerability is fixed in 10.0.3.

9.9 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://github.com/haxtheweb/issues/security/advisories/GHSA-vj5q-3jv2-cg5p Exploit Third Party Advisory
https://github.com/haxtheweb/issues/security/advisories/GHSA-vj5q-3jv2-cg5p Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:psu:haxcms-php:*:*:*:*:*:*:*:*
History

30 Jul 2025, 17:36

Type Values Removed Values Added
CPE cpe:2.3:a:haxtheweb:hax:*:*:*:*:*:*:*:* cpe:2.3:a:psu:haxcms-php:*:*:*:*:*:*:*:*
References () https://github.com/haxtheweb/issues/security/advisories/GHSA-vj5q-3jv2-cg5p - Third Party Advisory, Exploit () https://github.com/haxtheweb/issues/security/advisories/GHSA-vj5q-3jv2-cg5p - Exploit, Third Party Advisory
First Time Psu haxcms-php
Psu

18 Jun 2025, 13:46

Type Values Removed Values Added
First Time Haxtheweb hax
Haxtheweb
CPE cpe:2.3:a:haxtheweb:hax:*:*:*:*:*:*:*:*
Summary
  • (es) HAX CMS PHP le permite gestionar su universo de micrositios con un backend PHP. Varias funciones de carga de archivos dentro de la aplicación HAX CMS PHP llaman a una función de "guardar" en "HAXCMSFile.php". Esta función de "guardar" utiliza una lista de denegados para impedir que se carguen al servidor tipos específicos de archivo. Esta lista no es exhaustiva y solo bloquea los archivos ".php", ".sh", ".js" y ".css". La lógica existente provoca que el sistema "fallo abrir" en lugar de "fallo cerrar". Esta vulnerabilidad se corrigió en la versión 10.0.3.
References () https://github.com/haxtheweb/issues/security/advisories/GHSA-vj5q-3jv2-cg5p - () https://github.com/haxtheweb/issues/security/advisories/GHSA-vj5q-3jv2-cg5p - Third Party Advisory, Exploit

08 Apr 2025, 20:15

Type Values Removed Values Added
References () https://github.com/haxtheweb/issues/security/advisories/GHSA-vj5q-3jv2-cg5p - () https://github.com/haxtheweb/issues/security/advisories/GHSA-vj5q-3jv2-cg5p -

08 Apr 2025, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-04-08 16:15

Updated : 2025-07-30 17:36

NVD link : CVE-2025-32028

Mitre link : CVE-2025-32028

CVE.ORG link : CVE-2025-32028

JSON object : View

Products Affected

psu

  • haxcms-php
CWE
CWE-434

Unrestricted Upload of File with Dangerous Type