CVE-2026-46511
Stored XSS in HAX CMS Leading to Account Takeover
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| haxtheweb | haxcms-nodejs | to 26.0.0 (exc) |
| haxtheweb | haxcms-php | to 26.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
| CWE-922 | The product stores sensitive information without properly limiting read or write access by unauthorized actors. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-46511 is a critical vulnerability in HAX CMS versions up to 25.0.0 that involves a stored cross-site scripting (XSS) attack combined with dynamic token exposure through the /system/api/connectionSettings endpoint.
The system exposes sensitive authentication tokens such as jwt, user_token, site_token, and appstore_token in a global JavaScript variable called window.appSettings. An authenticated attacker with edit access can inject malicious JavaScript code that forces a victim's browser to fetch their connection settings, which include these tokens.
Because the request includes the victim's session cookie, the server returns the victim's tokens, which the attacker then extracts and sends to an attacker-controlled webhook. This allows the attacker to impersonate the victim and perform a complete cross-tenant account takeover without needing the victim's password.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to perform a complete cross-tenant account takeover by stealing sensitive authentication tokens through a stored XSS attack. Such unauthorized access and data exfiltration can lead to exposure of personal and sensitive information managed by the system.
As a result, organizations using affected versions of HAX CMS may face compliance issues with standards and regulations like GDPR and HIPAA, which require protection of personal data and secure access controls. The compromise of authentication tokens and potential unauthorized administrative actions could violate data protection requirements and lead to regulatory penalties.
How can this vulnerability impact me? :
This vulnerability can lead to a complete cross-tenant account takeover by an authenticated attacker.
- The attacker can steal sensitive authentication tokens and impersonate victims.
- They can bypass authentication and perform administrative actions such as creating or deleting sites.
- The attacker can modify user access or upload malicious content, potentially compromising the entire system.
The severity is critical due to the ease of exploitation and the potential for full system takeover.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying the presence of stored XSS payloads in the HAX CMS environment, particularly targeting the /system/api/connectionSettings endpoint where sensitive tokens are exposed.
You can monitor network traffic for suspicious requests to /system/api/connectionSettings that include authentication tokens in responses or unusual outbound requests to unknown webhooks, which may indicate token exfiltration.
Commands to assist detection might include:
- Using web application scanners or manual inspection to find stored XSS payloads in site content or user inputs.
- Using browser developer tools or proxy tools (e.g., Burp Suite) to inspect JavaScript variables like window.appSettings for exposed tokens.
- Monitoring HTTP logs or using tools like tcpdump or Wireshark to capture and analyze traffic to /system/api/connectionSettings for abnormal token leakage.
- Example command to capture traffic on port 80 or 443 (adjust as needed): tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep '/system/api/connectionSettings'
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade HAX CMS to version 26.0.0 or later, where this vulnerability has been patched.
Until the upgrade can be performed, restrict authenticated users' ability to inject scripts or edit site content to prevent stored XSS exploitation.
Additionally, monitor and audit user activities for suspicious behavior, especially any attempts to inject JavaScript or access the /system/api/connectionSettings endpoint.
Consider implementing Content Security Policy (CSP) headers to limit the execution of unauthorized scripts.
Review and limit permissions to only trusted users to reduce the risk of an attacker gaining edit access.