Kn1Ph

**Name of the Vulnerable Software and Affected Versions** HAX CMS versions prior to 26.0.1 **Description** A stored cross-site scripting (XSS) issue exists in the '/system/api/saveNode' endpoint. An authenticated user with page editing permissions can bypass the HTML sanitizer by injecting an event handler attribute without a preceding whitespace. This occurs because the regex-based sanitization expects a space before event handler attributes, allowing payloads like `href="#"onclick="..."` to be stored in generated page files. When a user interacts with the injected element, the JavaScript executes in their browser, potentially allowing access to sensitive data such as `localStorage.jwt` and `window.appSettings`. The affected parameter is `node.body`. **Recommendations** Update @haxtheweb/haxcms-nodejs to version 26.0.1. Update haxcms-php to version 26.0.2.