CVE-2026-46396
Deferred Deferred - Pending Action
Stored XSS in HAX CMS Prior to Version 26.0.0

Publication date: 2026-06-05

Last updated on: 2026-06-09

Assigner: GitHub, Inc.

Description
HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of `<iframe>` elements. The application allows `javascript:` URIs in the `src` attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data exposed to client-side scripts. Version 26.0.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-09
Generated
2026-06-27
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-25
NVD
CVE-2026-46396
EUVD
EUVD-2026-34891
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
haxtheweb haxcms to 26.0.0 (exc)
haxtheweb iframe_loader to 26.0.0 (exc)
haxtheweb video_player to 26.0.0 (exc)
haxtheweb haxcms_php to 26.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-46396 is a stored cross-site scripting (XSS) vulnerability in HAX CMS that occurs due to improper sanitization of <iframe> elements. Specifically, the application allows javascript: URIs in the src attribute of iframes, which are executed when a malicious page is viewed.

This flaw enables attackers to inject and execute arbitrary JavaScript code in the context of a victim's browser.

Impact Analysis

Exploitation of this vulnerability allows attackers to run arbitrary scripts in a victim's browser, which can lead to access to sensitive client-side data such as authentication tokens, session cookies, application configurations, and user-specific API data.

  • Full account takeover
  • Session hijacking
  • Unauthorized actions performed on behalf of the victim
Detection Guidance

Detection of this stored cross-site scripting (XSS) vulnerability involves identifying if your HAX CMS installation is running a vulnerable version (prior to 26.0.0) and if it improperly sanitizes <iframe> elements allowing javascript: URIs in the src attribute.

You can check the version of HAX CMS installed by inspecting package versions for npm packages such as @haxtheweb/haxcms-nodejs, @haxtheweb/iframe-loader, @haxtheweb/video-player, or the haxcms-php version.

  • For npm-based installations, run: npm list @haxtheweb/haxcms-nodejs @haxtheweb/iframe-loader @haxtheweb/video-player
  • For PHP-based installations, check the version in the haxcms-php package files or documentation.

To detect exploitation attempts or presence of malicious javascript: URIs in iframe src attributes, you can scan your stored content or database for iframe tags containing 'javascript:' in the src attribute.

  • Example command to search for suspicious iframe src attributes in stored files or database exports: grep -r '<iframe[^>]*src=["\']javascript:' /path/to/haxcms/content
  • Monitor web traffic for suspicious payloads or injected scripts that include iframe elements with javascript: URIs.
Mitigation Strategies

The primary mitigation step is to upgrade HAX CMS and all related packages to version 26.0.0 or later, where the vulnerability has been fixed.

Until the upgrade can be performed, you should sanitize or remove any iframe elements in stored content that use javascript: URIs in the src attribute to prevent execution of malicious scripts.

Additionally, review and restrict user input that can inject iframe elements, and implement Content Security Policy (CSP) headers to block execution of inline scripts or javascript: URIs.

Monitor logs and user activity for signs of exploitation such as unexpected script execution or account hijacking attempts.

Compliance Impact

The stored cross-site scripting (XSS) vulnerability in HAX CMS allows attackers to execute arbitrary JavaScript in a victim's browser, potentially accessing sensitive client-side data such as authentication tokens, session cookies, application configurations, and user-specific API data.

This unauthorized access and potential data exposure can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to compromised confidentiality and integrity of sensitive data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46396. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart