CVE-2025-49141 is a high-severity OS command injection vulnerability affecting the haxtheweb CMS PHP product named 'issues' in versions prior to 11.0.3. The vulnerability arises in the `gitImportSite` functionality, which accepts a URL string from a POST request. This input is insufficiently validated before being passed to the `set_remote` function, which subsequently invokes the PHP `proc_open` function to execute system commands. The validation attempts use `filter_var` and `strpos` functions, but these checks can be bypassed by an authenticated attacker who crafts a malicious URL string. This allows arbitrary OS command execution on the backend server hosting the CMS. The attacker can also exfiltrate the output of these commands via HTTP responses, enabling data theft or further system reconnaissance. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating that special characters or sequences are not properly sanitized before being used in OS command contexts. The CVSS v3.1 base score is 8.6, reflecting a high impact on confidentiality, integrity, and availability, with network attack vector, low privileges required, no user interaction, and scope change. The vendor has addressed this issue in version 11.0.3 by patching the input validation and command execution logic to prevent injection. No known exploits are currently reported in the wild, but the vulnerability's nature and ease of exploitation make it a critical risk for affected deployments.

For European organizations using haxtheweb CMS PHP 'issues' versions prior to 11.0.3, this vulnerability poses a significant risk. Successful exploitation can lead to full compromise of the backend server, allowing attackers to execute arbitrary commands, potentially leading to data breaches, service disruption, or lateral movement within the network. Confidentiality is at high risk due to the ability to exfiltrate command output, which may include sensitive configuration files, credentials, or business data. Integrity and availability are also threatened as attackers could modify or delete data, disrupt services, or deploy malware. Given the CMS's role in managing microsites, compromised servers could be used to host malicious content or launch further attacks against visitors or connected systems. The requirement for authentication limits exposure somewhat but does not eliminate risk, especially if credentials are weak, reused, or stolen. The vulnerability's network accessibility means attackers can exploit it remotely once authenticated, increasing the threat surface. European organizations in sectors such as government, finance, media, and critical infrastructure that rely on haxtheweb CMS for web presence or internal applications are particularly vulnerable.

European organizations should immediately upgrade haxtheweb CMS PHP 'issues' to version 11.0.3 or later, where the vulnerability is patched. Until upgrades are completed, organizations should implement strict access controls to limit authenticated user privileges, ensuring only trusted users can access the `gitImportSite` functionality. Web application firewalls (WAFs) can be configured to detect and block suspicious POST requests containing unusual URL strings or command injection patterns targeting the vulnerable endpoint. Regularly audit and monitor logs for anomalous command execution or unexpected HTTP responses that could indicate exploitation attempts. Employ multi-factor authentication to reduce the risk of credential compromise. Additionally, conduct code reviews and penetration testing focused on input validation and command execution paths within the CMS to identify any residual or related vulnerabilities. Network segmentation can limit the impact of a compromised CMS server. Finally, maintain an up-to-date inventory of all haxtheweb CMS deployments to ensure no vulnerable instances remain in production or development environments.