The vulnerability combines a stored cross‑site scripting flaw with a dynamic exposure of authentication tokens. An attacker who can inject script into the content system is able to embed code that runs in the victim’s browser. When the victim visits pages that load the /system/api/connectionSettings endpoint, the endpoint writes the current session’s JWT, user_token, site_token, and appstore_token into a global JavaScript variable. The injected script can then silently read that variable and send the tokens to an attacker‑controlled webhook. The resulting token exfiltration allows the attacker to impersonate the victim and gain control across other tenants, effectively performing a cross‑tenant account takeover.

The issue is present in the HAX CMS platform, both the Node.js and PHP back‑ends. Any deployment of haxtheweb:haxcms‑nodejs or haxtheweb:haxcms‑php with a version older than 26.0.0 is affected. Version 26.0.0 and later contain the fix that removes the token leakage and eliminates the stored XSS vector used in the attack chain.

The CVSS score of 8.7 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the local exploit probability may still be significant because the flaw requires only a stored XSS injection, which can be introduced through normal content editing workflows. Once an authenticated user injects the malicious content, every victim who visits the affected pages will have their session tokens stolen and exfiltrated. The attack vector is web‑based and requires no additional privileges beyond the ability to write to stored content.