Executive Summary

CVE-2026-48527 is a stored Cross-Site Scripting (XSS) vulnerability in HaxCMS versions 26.0.0 and below. It occurs in the `/system/api/saveNode` endpoint, where an authenticated user with permission to edit pages can bypass the HTML sanitizer by injecting an event handler attribute without whitespace before the attribute name.

For example, the payload `<a href="#"onclick="alert('kn1ph')">click me</a>` bypasses sanitization because the sanitizer expects a whitespace before the event handler attribute like `href="#" onclick="..."`. This malicious payload is stored in the generated page files and executes when a user clicks the injected link.

This vulnerability allows an attacker to inject stored JavaScript into page content that executes in the victim's browser if they interact with the malicious element while authenticated.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have significant impacts because it allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session within HaxCMS.

The injected script can access sensitive browser-exposed data such as localStorage.jwt tokens, window.appSettings, API paths, and authentication tokens.

With this access, an attacker could perform actions within the victim's permissions, potentially leading to unauthorized data access, privilege escalation, or further compromise of the system.

The CVSS score of 8.7 (High) reflects the severity, with a network attack vector, low attack complexity, and the requirement of user interaction.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the `/system/api/saveNode` endpoint for stored cross-site scripting (XSS) payloads that bypass the HTML sanitizer. Specifically, you can attempt to inject an event handler attribute without whitespace before the attribute name, such as `<a href="#"onclick="alert('kn1ph')">click me</a>`, and observe if it is stored and executed.

To detect this on your system, you can use tools like curl or HTTP clients to send crafted POST requests to the vulnerable endpoint and then check if the payload is stored and rendered in the page content.

• Example curl command to test injection: curl -X POST -d '{"content":"<a href=\"#\"onclick=\"alert('kn1ph')\">click me</a>"}' https://your-haxcms-instance/system/api/saveNode -H "Authorization: Bearer <token>" -H "Content-Type: application/json"
• After injection, visit the affected page in a browser and check if the JavaScript alert executes upon clicking the injected link.

Monitoring network traffic for suspicious payloads containing event handler attributes without whitespace in requests to `/system/api/saveNode` can also help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade HaxCMS to a patched version where this vulnerability is fixed.

• Upgrade @haxtheweb/haxcms-nodejs to version 26.0.1 or later.
• Upgrade haxcms-php to version 26.0.2 or later.

Until the upgrade can be applied, restrict page editing permissions to trusted users only, as the vulnerability requires authenticated users with page editing rights.

Additionally, monitor and audit content submitted to the `/system/api/saveNode` endpoint for suspicious payloads.

Useful 0 Not Useful 0

Compliance Impact

The stored cross-site scripting (XSS) vulnerability in HaxCMS allows an attacker to inject malicious JavaScript that can execute in the context of authenticated users. This can lead to unauthorized access to sensitive data such as tokens and API paths stored in the browser, potentially resulting in data breaches or unauthorized actions.

Such unauthorized access and potential data exposure can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Useful 0 Not Useful 0