PT-2026-41977 · Npm · @Haxtheweb/Haxcms-Nodejs+2

Published

2026-05-19

·

Updated

2026-05-19

·

CVE-2026-46396

CVSS v4.0

8.6

High

VectorAV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

A stored cross-site scripting (XSS) vulnerability exists in HAX CMS due to improper sanitization of <iframe> elements.
The application allows javascript: URIs in the src attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data exposed to client-side scripts.

Details

Successful exploitation allows access to any data available in the browser context, including:
  • Authentication tokens (e.g., JWT)
  • Session cookies (if not protected with HttpOnly)
  • Application configuration (e.g., window.appSettings)
  • User-specific data accessible via APIs
This significantly increases the impact beyond simple script execution.

PoC

Steps to reproduce:
  1. Log in to HAX CMS as any authenticated user.
  2. Create a new page or edit an existing page.
  3. Open the HTML source editor (<>).
  4. Insert the following payload:
<iframe srcdoc="&lt;script&gt;
  (function(){
    try {
      var jwt = parent.window.appSettings.jwt;
      alert('Stolen JWT:
' + jwt);
    } catch(e) {
      alert('Error: ' + e.message);
    }
  })();
&lt;/script&gt;" style="display:none" sandbox="allow-scripts allow-same-origin"></iframe>
image image webhook`

Impact

This vulnerability allows stored XSS leading to:
  • Execution of arbitrary JavaScript in victim browsers
  • Access to sensitive client-side data, including authentication tokens and session identifiers
  • Unauthorized API actions performed on behalf of the victim
  • Session hijacking and full account takeover
Because the application exposes authentication data in the client-side environment, exploitation of this vulnerability can lead to complete compromise of user accounts and site content.

Fix

XSS

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2026-46396
GHSA-JH3H-RPXG-FR36

Affected Products

@Haxtheweb/Haxcms-Nodejs
@Haxtheweb/Iframe-Loader
@Haxtheweb/Video-Player