CVE-2026-48527

Name of the Vulnerable Software and Affected Versions HAX CMS versions prior to 26.0.1

Description A stored cross-site scripting (XSS) issue exists in the '/system/api/saveNode' endpoint. An authenticated user with page editing permissions can bypass the HTML sanitizer by injecting an event handler attribute without a preceding whitespace. This occurs because the regex-based sanitization expects a space before event handler attributes, allowing payloads like href="#"onclick="..." to be stored in generated page files. When a user interacts with the injected element, the JavaScript executes in their browser, potentially allowing access to sensitive data such as localStorage.jwt and window.appSettings. The affected parameter is node.body.

Recommendations Update @haxtheweb/haxcms-nodejs to version 26.0.1. Update haxcms-php to version 26.0.2.