PT-2026-41978 · Npm · @Haxtheweb/Haxcms-Nodejs+1

Published

2026-05-19

·

Updated

2026-05-19

·

CVE-2026-46496

CVSS v4.0

5.1

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

A stored cross-site scripting (XSS) vulnerability exists in HAX CMS due to improper sanitization of the <video-player> component.
The component allows javascript: URIs in the source attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data such as JWT tokens and more.

Details

The vulnerability is present in the <video-player> web component used within the HAX CMS editor.
The application fails to validate or sanitize user-supplied input in the following attributes:
  • source
  • source-data
These attributes accept arbitrary URI schemes, including javascript:, which leads to execution of attacker-controlled JavaScript in the browser.
Example vulnerable usage:
<video-player 
 source="javascript:alert(document.domain)" 
 source-type="external">
</video-player>
Because this content is stored and rendered to other users, the vulnerability is classified as a stored XSS.
The root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering. Because this content is stored and rendered to other users, the vulnerability is classified as a stored XSS.
The root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering.

PoC

Steps to reproduce:
  1. Log in to HAX CMS as user.
  2. Create a website or any page and switch to the HTML source editor (<>).
  3. Insert the following payload:
<video-player source="javascript:alert('JWT: '+localStorage.getItem('jwt').substring(0,30))" source-type="external"></video-player>
image
Save the page.
Reload or revisit or send the page.
Result image
A JavaScript alert executes. The JWT token is exposed. This confirms arbitrary JavaScript execution in the victim’s browser.

Impact

This vulnerability allows stored XSS leading to:
  • Theft of JWT authentication tokens
  • Session hijacking
  • Full account takeover
  • Execution of arbitrary JavaScript in victim browsers
If an administrator views a malicious page, this can lead to full CMS compromise.
Attack complexity: Low Privileges required: Low (any authenticated user) User interaction: Required

Fix

Improper Encoding or Escaping of Output

XSS

Weakness Enumeration

CWE-116CWE-79

Related Identifiers

CVE-2026-46496
GHSA-2M6P-HM3W-6JM3

Affected Products

@Haxtheweb/Haxcms-Nodejs
@Haxtheweb/Video-Player