{"uuid": "ac05c7d8-8852-4d07-b00f-5b3fd3bf1ec8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-VJ5Q-3JV2-CG5P", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/10954", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-32028\n\ud83d\udd25 CVSS Score: 10 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)\n\ud83d\udd39 Description: HAX CMS PHP allows you to manage your microsite universe with PHP backend. Multiple file upload functions within the HAX CMS PHP application call a \u2019save\u2019 function in \u2019HAXCMSFile.php\u2019. This save function uses a denylist to block specific file types from being uploaded to the server. This list is non-exhaustive and only blocks \u2019.php\u2019, \u2019.sh\u2019, \u2019.js\u2019, and \u2019.css\u2019 files. The existing logic causes the system to \"fail open\" rather than \"fail closed.\" This vulnerability is fixed in 10.0.3.\n\ud83d\udccf Published: 2025-04-08T16:06:33.976Z\n\ud83d\udccf Modified: 2025-04-08T16:06:33.976Z\n\ud83d\udd17 References:\n1. https://github.com/haxtheweb/issues/security/advisories/GHSA-vj5q-3jv2-cg5p", "creation_timestamp": "2025-04-08T16:46:45.000000Z"}