The vulnerability in haxcms-php prior to version 26.0.0 involves improper handling of case sensitivity in file upload validation and server configuration. The saveFile endpoint validates file extensions case-insensitively but writes filenames to disk without normalizing case. The .htaccess rule intended to force Content-Disposition: attachment on HTML files is case-sensitive and only applies to lowercase extensions. Consequently, HTML files uploaded with uppercase or mixed-case extensions bypass the forced download header and are served inline as text/html, enabling execution of embedded JavaScript in the context of the HAXcms origin. This flaw effectively circumvents the mitigation implemented for CVE-2026-22704. The issue is addressed in version 26.0.0.

An attacker can upload HTML files with uppercase or mixed-case extensions that are served inline by the web server, allowing execution of arbitrary JavaScript in the security context of the HAXcms origin. This can lead to cross-site scripting (XSS) attacks with high confidentiality and integrity impact, potentially compromising user data or session information. The vulnerability bypasses a prior mitigation, increasing risk to affected installations. There is no indication of known exploits in the wild at this time.

Version 26.0.0 of haxcms-php contains a fix for this vulnerability and should be applied to affected systems. Since the vendor advisory does not provide additional remediation details, upgrading to version 26.0.0 is the recommended action. Patch status is not explicitly confirmed beyond the version fix note, so users should verify the update from the vendor. No other mitigations are specified.