CVE-2026-22704

Name of the Vulnerable Software and Affected Versions HAX CMS versions 11.0.6 through 24.x HAX CMS versions prior to 25.0.0

Description HAX CMS, which manages microsite universes with PHP or NodeJs backends, is subject to a stored cross-site scripting (XSS) issue. This flaw potentially allows for account takeover. The issue affects versions using PHP or NodeJs backends. Stored XSS occurs when malicious scripts are injected into a website and stored on the server, allowing them to be executed when other users visit the affected pages.

Recommendations HAX CMS versions 11.0.6 through 24.x should be upgraded to version 25.0.0 or later. HAX CMS versions prior to 25.0.0 should be upgraded to version 25.0.0 or later.