CVE-2026-46496 - Vulnerability Details

- HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft

Description

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the `<video-player>` component. The component allows `javascript:` URIs in the `source` attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data such as JWT tokens and more. Version 26.0.0 fixes the issue.

Published: 2026-06-05

Score: 9.3 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A stored cross‑site scripting flaw was discovered in HAX CMS prior to version 26.0.0. The <video‑player> component fails to sanitize the source attribute, allowing a javascript: URI to be stored. When any user visits the page, the browser executes the malicious script in the victim’s context, giving an attacker the ability to run arbitrary code, steal session tokens, and access confidential data. The vulnerability is classified as CWE‑79 and also involves improper encoding (CWE‑116).

Affected Systems

The flaw affects haxtheweb’s HAX CMS (NodeJS backend) and the associated video‑player component in all releases before 26.0.0. Any deployment of these components that uses the <video‑player> tag is vulnerable until the patch is applied.

Risk and Exploitability

With a CVSS score of 9.3, the vulnerability is considered high severity. The EPSS score is not available and the issue is not listed in CISA’s KEV catalog, but the impact remains significant. Attackers can inject malicious content through the CMS’s content editing feature; the stored payload then propagates to all users who view the affected page. Because the attack vector requires only content injection, knowledgeable attackers can exploit the flaw without additional privileges beyond the ability to post or edit pages.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

haxtheweb

haxcms-nodejs

affected

Version	Status	Constraints
`< 26.0.0`	affected	—

haxtheweb

video-player

affected

Version	Status	Constraints
`< 26.0.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update HAX CMS and the video‑player component to version 26.0.0 or later.
Deploy the updated packages across all environments that host user–generated content.
Configure the data submission pipeline to reject or encode any javascript: scheme in video source attributes and enforce that only privileged administrators can edit page content.

Generated by OpenCVE AI on June 5, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-2m6p-hm3w-6jm3	HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3

History

Fri, 05 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 05 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the `<video-player>` component. The component allows `javascript:` URIs in the `source` attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data such as JWT tokens and more. Version 26.0.0 fixes the issue.
Title		HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft
Weaknesses		CWE-116 CWE-79
References		https://github.com/haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3
Metrics		cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-05T18:46:36.822Z

Updated: 2026-06-05T19:10:41.697Z

Reserved: 2026-05-14T18:06:06.811Z

Link: CVE-2026-46496

Vulnrichment

Updated: 2026-06-05T19:10:23.519Z

NVD

Status : Deferred

Published: 2026-06-05T19:16:34.113

Modified: 2026-06-05T20:17:34.710

Link: CVE-2026-46496

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-05T20:45:04Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object