Description
HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of `<iframe>` elements. The application allows `javascript:` URIs in the `src` attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data exposed to client-side scripts. Version 26.0.0 fixes the issue.
Published: 2026-06-05
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Stored cross‑site scripting (XSS) exists in HAX CMS and its associated components before version 26.0.0 because <iframe> elements are not properly sanitized and allow javascript: URIs to be inserted into the src attribute. When a victim loads a page containing such an iframe, the browser executes the injected JavaScript in the victim’s context. This lets an attacker read client‑side data, hijack the user’s session, and perform an account takeover.

Affected Systems

HAX CMS (NodeJS backend), Iframe Loader and Video Player products from haxtheweb are affected. All releases before 26.0.0 are vulnerable. Version 26.0.0 and later contain the fix.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. An attacker must first inject a malicious iframe via a page that the CMS stores; when a user opens that page, the injected JavaScript is executed. The vector is that the CMS permits arbitrary iframe content from users with write access, which can be leveraged by an attacker with that level of access. The impact is execution of code in the user’s browser, allowing data exfiltration and session hijack.

Generated by OpenCVE AI on June 5, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HAX CMS, Iframe Loader, and Video Player to version 26.0.0 or later.
  • If an upgrade is not immediately possible, modify the input sanitization logic to reject javascript: URIs in the src attribute of iframe tags.
  • Ensure that only safe protocols (e.g., https, data) are allowed and that the output of the CMS is properly escaped.

Generated by OpenCVE AI on June 5, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jh3h-rpxg-fr36 Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover
History

Fri, 05 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of `<iframe>` elements. The application allows `javascript:` URIs in the `src` attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data exposed to client-side scripts. Version 26.0.0 fixes the issue.
Title HAX CMS has a stored XSS via <iframe> that allows access to sensitive client-side data and account takeover
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T18:44:28.997Z

Reserved: 2026-05-13T21:04:10.931Z

Link: CVE-2026-46396

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-05T19:16:33.750

Modified: 2026-06-05T19:20:19.607

Link: CVE-2026-46396

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T21:15:05Z

Weaknesses