Compliance Impact

This vulnerability allows an attacker to perform a complete cross-tenant account takeover by stealing sensitive authentication tokens through a stored XSS attack. Such unauthorized access and data exfiltration can lead to exposure of personal and sensitive information managed by the system.

As a result, organizations using affected versions of HAX CMS may face compliance issues with standards and regulations like GDPR and HIPAA, which require protection of personal data and secure access controls. The compromise of authentication tokens and potential unauthorized administrative actions could violate data protection requirements and lead to regulatory penalties.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-46511 is a critical vulnerability in HAX CMS versions up to 25.0.0 that involves a stored cross-site scripting (XSS) attack combined with dynamic token exposure through the /system/api/connectionSettings endpoint.

The system exposes sensitive authentication tokens such as jwt, user_token, site_token, and appstore_token in a global JavaScript variable called window.appSettings. An authenticated attacker with edit access can inject malicious JavaScript code that forces a victim's browser to fetch their connection settings, which include these tokens.

Because the request includes the victim's session cookie, the server returns the victim's tokens, which the attacker then extracts and sends to an attacker-controlled webhook. This allows the attacker to impersonate the victim and perform a complete cross-tenant account takeover without needing the victim's password.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a complete cross-tenant account takeover by an authenticated attacker.

• The attacker can steal sensitive authentication tokens and impersonate victims.
• They can bypass authentication and perform administrative actions such as creating or deleting sites.
• The attacker can modify user access or upload malicious content, potentially compromising the entire system.

The severity is critical due to the ease of exploitation and the potential for full system takeover.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying the presence of stored XSS payloads in the HAX CMS environment, particularly targeting the /system/api/connectionSettings endpoint where sensitive tokens are exposed.

You can monitor network traffic for suspicious requests to /system/api/connectionSettings that include authentication tokens in responses or unusual outbound requests to unknown webhooks, which may indicate token exfiltration.

Commands to assist detection might include:

• Using web application scanners or manual inspection to find stored XSS payloads in site content or user inputs.
• Using browser developer tools or proxy tools (e.g., Burp Suite) to inspect JavaScript variables like window.appSettings for exposed tokens.
• Monitoring HTTP logs or using tools like tcpdump or Wireshark to capture and analyze traffic to /system/api/connectionSettings for abnormal token leakage.
• Example command to capture traffic on port 80 or 443 (adjust as needed): tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep '/system/api/connectionSettings'

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade HAX CMS to version 26.0.0 or later, where this vulnerability has been patched.

Until the upgrade can be performed, restrict authenticated users' ability to inject scripts or edit site content to prevent stored XSS exploitation.

Additionally, monitor and audit user activities for suspicious behavior, especially any attempts to inject JavaScript or access the /system/api/connectionSettings endpoint.

Consider implementing Content Security Policy (CSP) headers to limit the execution of unauthorized scripts.

Review and limit permissions to only trusted users to reduce the risk of an attacker gaining edit access.

Useful 0 Not Useful 0