CVE-2026-46496

CRITICAL

HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft

Title source: cna

Description

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the `<video-player>` component. The component allows `javascript:` URIs in the `source` attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data such as JWT tokens and more. Version 26.0.0 fixes the issue.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3

Scores

CVSS v4 9.3

EPSS 0.0023

EPSS Percentile 13.6%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-116 CWE-79

Status published

Products (4)

haxtheweb/haxcms-nodejs 0 - 26.0.0npm

haxtheweb/haxcms-nodejs < 26.0.0

haxtheweb/video-player 0 - 26.0.0npm

haxtheweb/video-player < 26.0.0

Published Jun 05, 2026

Tracked Since Jun 06, 2026