CVE-2025-49141

Name of the Vulnerable Software and Affected Versions HAX CMS PHP versions prior to 11.0.3

Description The issue concerns the gitImportSite functionality, which obtains a URL string from a POST request and insufficiently validates user input. This allows an authenticated attacker to craft a URL string that bypasses validation checks, enabling the execution of arbitrary OS commands on the backend server. The attacker can exfiltrate command output via an HTTP request. The set remote function passes user input into proc open, yielding OS command injection.

Recommendations For versions prior to 11.0.3, update to version 11.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the gitImportSite functionality until a patch is applied. Additionally, restricting the use of the set remote function and proc open calls with unvalidated user input can help minimize the risk of exploitation.