CVE-2026-22704

HIGH

haxcms-nodejs 11.0.6-24.9.9 - Stored Cross-Site Scripting

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-22704. PoCs published by banyamer.

AI-analyzed exploit summary This Python script demonstrates a stored XSS vulnerability in HAX CMS 24.x by uploading a malicious HTML file with embedded JavaScript. The exploit authenticates as a low-privileged user, uploads the file, and provides a URL to trigger the XSS payload.

Description

HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead to account takeover. This issue has been patched in version 25.0.0.

Exploits (1)

exploitdb WORKING POC
by banyamer · pythonwebappsmultiple
https://www.exploit-db.com/exploits/52526

This Python script demonstrates a stored XSS vulnerability in HAX CMS 24.x by uploading a malicious HTML file with embedded JavaScript. The exploit authenticates as a low-privileged user, uploads the file, and provides a URL to trigger the XSS payload.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: HAX CMS <= 24.x
Auth required
Prerequisites: valid low-privilege user credentials · access to the file upload endpoint
devstral-2 · analyzed May 06, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.0
EPSS 0.0104
EPSS Percentile 59.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-79
Status published
Products (2)
haxtheweb/haxcms-nodejs 11.0.6 - 25.0.0npm
psu/haxcms-nodejs 11.0.6
Published Jan 10, 2026
Tracked Since Feb 18, 2026