CVE-2025-32028

Name of the Vulnerable Software and Affected Versions: HAX CMS PHP versions prior to 10.0.3

Description: The issue is related to the save() function in HAXCMSFile.php, which allows for unrestricted file uploads due to a non-exhaustive denylist. This list only blocks files with .php, .sh, .js, and .css extensions, causing the system to "fail open" rather than "fail closed". The vulnerability can be exploited by a remote attacker to upload files with malicious extensions and execute arbitrary code.

Recommendations: For versions prior to 10.0.3, update to version 10.0.3 to fix the vulnerability. As a temporary workaround, consider restricting access to the save() function in HAXCMSFile.php to minimize the risk of exploitation. Additionally, restrict file uploads to only necessary file types to reduce the attack surface.