PT-2026-41979 · Npm+1 · @Haxtheweb/Haxcms-Nodejs+2
Published
2026-05-19
·
Updated
2026-06-06
·
CVE-2026-46511
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
HAX CMS versions prior to 26.0.0
Description
An attack chain combining Stored XSS and dynamic token exposure allows an authenticated attacker to perform a complete cross-tenant account takeover. The system is vulnerable to Stored XSS through vectors such as injected
iframe srcdoc or <video-player>. The /system/api/connectionSettings endpoint, specifically within the connectionSettings() function in Operations.php, leaks active session authentication tokens—including jwt, user token, site token, and appstore token—into a global JavaScript variable named window.appSettings. An attacker can use XSS to force a victim's browser to fetch these settings, extract the tokens, and exfiltrate them to an external server. This allows the attacker to emulate the victim and perform administrative actions without a password.Recommendations
Update to version 26.0.0.
Exploit
Fix
XSS
Insufficiently Protected Credentials
Insecure Storage of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
@Haxtheweb/Haxcms-Nodejs
Haxcms-Nodejs
Hax Cms Php