HAX CMS: Stored XSS via ‘‘ component allows arbitrary JavaScript...

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Description

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the <video-player> component. The component allows `javascript:` URIs in the `source` attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data such as JWT tokens and more. Version 26.0.0 fixes the issue.

AI Analysis

Stored cross-site scripting (XSS) vulnerability due to improper sanitization of the video-player component, allowing arbitrary JavaScript execution and token theft.

Basic Information

ID CVE-2026-46496

Source GitHub_M

Published Jun 5, 2026 at 18:46

Affected Product

Vendor haxtheweb

Product haxcms-nodejs

Version < 26.0.0

Affected Versions haxtheweb haxcms-nodejs < 26.0.0
haxtheweb video-player < 26.0.0

CWE Classification

CWE-79 CWE-116

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor haxtheweb

Product HAX CMS

Version < 26.0.0

References

github.com /haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3

{
    "lastseen": "",
    "description": "HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the <video-player> component. The component allows `javascript:` URIs in the `source` attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim\u2019s browser and access sensitive data such as JWT tokens and more. Version 26.0.0 fixes the issue.",
    "published": "2026-06-05T18:46:36.822Z",
    "modified": "2026-06-05T18:46:36.822Z",
    "type": "cve",
    "title": "HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft",
    "source": "GitHub_M",
    "references": "https://github.com/haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3",
    "id": "CVE-2026-46496",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79",
        "CWE-116"
    ],
    "cvelist": null,
    "sourceData": "haxtheweb haxcms-nodejs < 26.0.0\nhaxtheweb video-player < 26.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "haxcms-nodejs",
    "version": "< 26.0.0",
    "vendor": "haxtheweb",
    "ai_description": "Stored cross-site scripting (XSS) vulnerability due to improper sanitization of the video-player component, allowing arbitrary JavaScript execution and token theft.",
    "ai_severity": "Critical",
    "ai_vendor": "haxtheweb",
    "ai_product": "HAX CMS",
    "ai_version": "< 26.0.0",
    "ai_score": 9.3
}

HAX CMS: Stored XSS via ‘‘ component allows arbitrary JavaScript execution and token theft_CVE-2026-46496