CVE-2026-46496

HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft

CVSS 9.3 CRITICALEPSS 0.2%CWE-116 CWE-79

Vexday Risk Score

28Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 9.3EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

05 jun 2026Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the `<video-player>` component. The component allows `javascript:` URIs in the `source` attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data such as JWT tokens and more. Version 26.0.0 fixes the issue.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Produtos afetados

haxtheweb · haxcms-nodejs haxtheweb · video-player

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3