CVE-2026-46511
published 2026-06-05CVE-2026-46511: HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token…
PriorityP352high8.7CVSS 4.0
AVNACLATNPRLUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.27%
19.2th percentile
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSettings` endpoint allows an authenticated attacker to perform a complete cross-tenant account takeover. The API dynamically leaks the active session's authentication tokens (including the `jwt`, `user_token`, `site_token`, and `appstore_token`) into a global JavaScript variable (`window.appSettings`). An attacker can exploit the XSS vulnerability to force a victim's browser to silently fetch their specific connection settings, extract the tokens, and exfiltrate them to an attacker-controlled webhook. Version 26.0.0 patches the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| haxtheweb | haxcms-nodejs | < 26.0.0 | 26.0.0 |
| haxtheweb | haxcms-nodejs | >= 0 < 26.0.0 | 26.0.0 |
| haxtheweb | haxcms-php | < 26.0.0 | 26.0.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
haxtheweb haxcms-nodejs/haxcms-php up to 25.x Setting connectionSettings cross site scripting (GHSA-x3x5-7h4h-gwxg)
vuldb·2026-06-06·CVSS 8.7
CVE-2026-46511 [HIGH] haxtheweb haxcms-nodejs/haxcms-php up to 25.x Setting connectionSettings cross site scripting (GHSA-x3x5-7h4h-gwxg)
A vulnerability was found in haxtheweb haxcms-nodejs and haxcms-php up to 25.x. It has been classified as problematic. Impacted is an unknown function of the file /system/api/connectionSettings of the component Setting Handler. This manipulation causes cross site scripting.
The identification of this vulnerability is CVE-2026-46511. It is possible to initiate the attack remotely. There is no exploit available.
Upgrading the affected component is recommended.
GHSA
HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack
ghsa·2026-05-19
CVE-2026-46511 [HIGH] CWE-522 HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack
HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack
### Summary
An attack chain utilizing **Stored XSS** alongside dynamic token exposure in the `/system/api/connectionSettings` endpoint allows an authenticated attacker to perform a complete cross-tenant account takeover. The API dynamically leaks the active session's authentication tokens (including the `jwt`, `user_token`, `site_token`, and `appstore_token`) into a global JavaScript variable (`window.appSettings`). An attacker can exploit the XSS vulnerability to force a victim's browser to silently fetch their specific connection settings, extract the tokens, and exfiltrate them to an attacker-controlled webhook.
### Details
In `Operations.php` (`connectionSettings()`), the system returns a Javascript object designed to bootstrap
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-05
Published