CVE-2026-46496
Deferred Deferred - Pending Action
Stored XSS in HAX CMS Video-Player Component

Publication date: 2026-06-05

Last updated on: 2026-06-05

Assigner: GitHub, Inc.

Description
HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the `<video-player>` component. The component allows `javascript:` URIs in the `source` attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data such as JWT tokens and more. Version 26.0.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-05
Generated
2026-06-27
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-25
NVD
CVE-2026-46496
EUVD
EUVD-2026-34892
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
hax_cms hax_cms to 26.0.0 (exc)
haxtheweb haxcms to 26.0.0 (exc)
haxtheweb haxcms_nodejs to 26.0.0 (exc)
haxtheweb video_player to 26.0.0 (exc)
haxtheweb haxcms_php to 26.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by inspecting the content managed by HAX CMS for the presence of malicious `javascript:` URIs in the `source` attribute of the `<video-player>` component. Since the vulnerability involves stored cross-site scripting, checking the HTML source or database entries for such payloads is essential.

There are no specific commands provided in the available resources to detect this vulnerability automatically on your network or system.

Compliance Impact

The vulnerability allows attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data such as JWT tokens. This can lead to theft of authentication tokens, session hijacking, full account takeover, and potential full CMS compromise if an administrator views the malicious page.

Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and user privacy.

Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in HAX CMS versions prior to 26.0.0. It occurs because the `<video-player>` component does not properly sanitize its `source` attribute, allowing `javascript:` URIs to be included. When a user views a page containing such a malicious payload, arbitrary JavaScript code is executed in their browser context.

The root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering. Attackers can insert malicious scripts via the HTML source editor, which then execute when the page is viewed.

Impact Analysis

This vulnerability can have severe impacts including theft of sensitive data such as JWT tokens, session hijacking, and full account takeover.

  • Attackers can execute arbitrary JavaScript in the victim's browser.
  • Authentication tokens can be stolen.
  • An attacker can hijack user sessions.
  • If an administrator views the malicious page, the entire CMS can be compromised.
Mitigation Strategies

The immediate mitigation step is to upgrade all affected HAX CMS packages (`@haxtheweb/haxcms-nodejs`, `@haxtheweb/video-player`, and `haxcms-php`) to version 26.0.0 or later, where the vulnerability is fixed.

Additionally, review and sanitize any existing content that may contain malicious `javascript:` URIs in the `<video-player>` component's `source` attribute to prevent execution of arbitrary JavaScript.

Limit user privileges and monitor for suspicious activity, especially from authenticated users who can edit content.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46496. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart