CVE-2026-46396
published 2026-06-05CVE-2026-46396: HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due…
PriorityP343critical9.3CVSS 4.0
AVNACLATNPRLUIPVCHVIHVANSCHSIHSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.23%
13.7th percentile
HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of `` elements. The application allows `javascript:` URIs in the `src` attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data exposed to client-side scripts. Version 26.0.0 fixes the issue.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| haxtheweb | haxcms-nodejs | < 26.0.0 | 26.0.0 |
| haxtheweb | haxcms-nodejs | >= 0 < 26.0.0 | 26.0.0 |
| haxtheweb | iframe-loader | < 26.0.0 | 26.0.0 |
| haxtheweb | iframe-loader | >= 0 < 26.0.0 | 26.0.0 |
| haxtheweb | video-player | < 26.0.0 | 26.0.0 |
| haxtheweb | video-player | >= 0 < 26.0.0 | 26.0.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
haxtheweb haxcms-nodejs/video-player/iframe-loader up to 25.x src cross site scripting (GHSA-jh3h-rpxg-fr36)
vuldb·2026-06-06·CVSS 9.3
CVE-2026-46396 [CRITICAL] haxtheweb haxcms-nodejs/video-player/iframe-loader up to 25.x src cross site scripting (GHSA-jh3h-rpxg-fr36)
A vulnerability was found in haxtheweb haxcms-nodejs, video-player and iframe-loader up to 25.x. It has been rated as problematic. Affected is an unknown function. The manipulation of the argument src leads to cross site scripting.
This vulnerability is referenced as CVE-2026-46396. Remote exploitation of the attack is possible. No exploit is available.
Upgrading the affected component is advised.
GHSA
Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover
ghsa·2026-05-19
CVE-2026-46396 [HIGH] CWE-79 Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover
Stored XSS via in HAX CMS allows access to sensitive client-side data and account takeover
### Summary
A stored cross-site scripting (XSS) vulnerability exists in HAX CMS due to improper sanitization of `` elements.
The application allows `javascript:` URIs in the `src` attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data exposed to client-side scripts.
### Details
Successful exploitation allows access to any data available in the browser context, including:
- Authentication tokens (e.g., JWT)
- Session cookies (if not protected with HttpOnly)
- Application configuration (e.g., window.appSettings)
- User-specific data accessible via APIs
This significantly
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-05
Published