Description
HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead to account takeover. This issue has been patched in version 25.0.0.
References (3)
Core 3
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/haxtheweb/issues/security/advisories/GHSA-3fm2-xfq7-7778
Patch x_refsource_misc
https://github.com/haxtheweb/haxcms-nodejs/commit/317a8ae29f88be389f7cfeffaef416957122d97e
Release Notes x_refsource_misc
https://github.com/haxtheweb/haxcms-nodejs/releases/tag/v25.0.0
Scores
CVSS v3
8.0
EPSS
0.0008
EPSS Percentile
22.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (2)
haxtheweb/haxcms-nodejs
11.0.6 - 25.0.0npm
psu/haxcms-nodejs
11.0.6
Published
Jan 10, 2026
Tracked Since
Feb 18, 2026