cbcvebase.
CVE-2026-46396
published 2026-06-05

CVE-2026-46396: HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due…

PriorityP343critical9.3CVSS 4.0
AVNACLATNPRLUIPVCHVIHVANSCHSIHSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.23%
13.7th percentile
HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of `` elements. The application allows `javascript:` URIs in the `src` attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data exposed to client-side scripts. Version 26.0.0 fixes the issue.

Affected

6 ranges
VendorProductVersion rangeFixed in
haxthewebhaxcms-nodejs< 26.0.026.0.0
haxthewebhaxcms-nodejs>= 0 < 26.0.026.0.0
haxthewebiframe-loader< 26.0.026.0.0
haxthewebiframe-loader>= 0 < 26.0.026.0.0
haxthewebvideo-player< 26.0.026.0.0
haxthewebvideo-player>= 0 < 26.0.026.0.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.