CVE-2026-46496
Stored XSS in HAX CMS Video-Player Component
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hax_cms | hax_cms | to 26.0.0 (exc) |
| haxtheweb | haxcms | to 26.0.0 (exc) |
| haxtheweb | haxcms_nodejs | to 26.0.0 (exc) |
| haxtheweb | video_player | to 26.0.0 (exc) |
| haxtheweb | haxcms_php | to 26.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored cross-site scripting (XSS) issue in HAX CMS versions prior to 26.0.0. It occurs because the `<video-player>` component does not properly sanitize its `source` attribute, allowing `javascript:` URIs to be included. When a user views a page containing such a malicious payload, arbitrary JavaScript code is executed in their browser context.
The root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering. Attackers can insert malicious scripts via the HTML source editor, which then execute when the page is viewed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the content managed by HAX CMS for the presence of malicious `javascript:` URIs in the `source` attribute of the `<video-player>` component. Since the vulnerability involves stored cross-site scripting, checking the HTML source or database entries for such payloads is essential.
There are no specific commands provided in the available resources to detect this vulnerability automatically on your network or system.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including theft of sensitive data such as JWT tokens, session hijacking, and full account takeover.
- Attackers can execute arbitrary JavaScript in the victim's browser.
- Authentication tokens can be stolen.
- An attacker can hijack user sessions.
- If an administrator views the malicious page, the entire CMS can be compromised.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade all affected HAX CMS packages (`@haxtheweb/haxcms-nodejs`, `@haxtheweb/video-player`, and `haxcms-php`) to version 26.0.0 or later, where the vulnerability is fixed.
Additionally, review and sanitize any existing content that may contain malicious `javascript:` URIs in the `<video-player>` component's `source` attribute to prevent execution of arbitrary JavaScript.
Limit user privileges and monitor for suspicious activity, especially from authenticated users who can edit content.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute arbitrary JavaScript in the context of the victimβs browser and access sensitive data such as JWT tokens. This can lead to theft of authentication tokens, session hijacking, full account takeover, and potential full CMS compromise if an administrator views the malicious page.
Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and user privacy.