CVE-2026-22704
published 2026-01-10CVE-2026-22704: HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead…
PriorityP433medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
1.04%
59.6th percentile
HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead to account takeover. This issue has been patched in version 25.0.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| haxtheweb | haxcms-nodejs | >= 11.0.6 < 25.0.0 | 25.0.0 |
| haxtheweb | haxcms-php | < 26.0.0 | 26.0.0 |
| psu | haxcms-nodejs | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
HAXcms Has Stored XSS Vulnerability that May Lead to Account Takeover
osv·2026-01-13
CVE-2026-22704 [HIGH] HAXcms Has Stored XSS Vulnerability that May Lead to Account Takeover
HAXcms Has Stored XSS Vulnerability that May Lead to Account Takeover
### Summary
Stored XSS Leading to Account Takeover
### Details
The Exploit Chain:
1.Upload: The attacker uploads an `.html` file containing a JavaScript payload.
2.Execution: A logged-in administrator is tricked into visiting the URL of this uploaded file.
3.Token Refresh: The JavaScript payload makes a `fetch` request to the `/system/api/refreshAccessToken` endpoint. Because the administrator is logged in, their browser automatically attaches the `haxcms_refresh_token` cookie to this request.
4.JWT Theft: The server validates the refresh token and responds with a new, valid JWT access token in the JSON response.
5.Exfiltration: The JavaScript captures this new JWT from the response and sends it to an attacker-controll
GHSA
HAXcms Has Stored XSS Vulnerability that May Lead to Account Takeover
ghsa·2026-01-13
CVE-2026-22704 [HIGH] CWE-79 HAXcms Has Stored XSS Vulnerability that May Lead to Account Takeover
HAXcms Has Stored XSS Vulnerability that May Lead to Account Takeover
### Summary
Stored XSS Leading to Account Takeover
### Details
The Exploit Chain:
1.Upload: The attacker uploads an `.html` file containing a JavaScript payload.
2.Execution: A logged-in administrator is tricked into visiting the URL of this uploaded file.
3.Token Refresh: The JavaScript payload makes a `fetch` request to the `/system/api/refreshAccessToken` endpoint. Because the administrator is logged in, their browser automatically attaches the `haxcms_refresh_token` cookie to this request.
4.JWT Theft: The server validates the refresh token and responds with a new, valid JWT access token in the JSON response.
5.Exfiltration: The JavaScript captures this new JWT from the response and sends it to an attacker-controll
No detection rules found.
2026-01-10
Published