← Back to CVE List

CVE-2025-32028

Published: 2025-04-08T16:15Z
Last Modified: 2025-04-08T20:15Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
HAX CMS PHP allows you to manage your microsite universe with PHP backend. Multiple file upload functions within the HAX CMS PHP application call a ’save’ function in ’HAXCMSFile.php’. This save function uses a denylist to block specific file types from being uploaded to the server. This list is non-exhaustive and only blocks ’.php’, ’.sh’, ’.js’, and ’.css’ files. The existing logic causes the system to "fail open" rather than "fail closed." This vulnerability is fixed in 10.0.3. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt