πŸ” CVE Alert

CVE-2026-46396

UNKNOWN 0.0

HAX CMS has a stored XSS via <iframe> that allows access to sensitive client-side data and account takeover

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
15th

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of `<iframe>` elements. The application allows `javascript:` URIs in the `src` attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data exposed to client-side scripts. Version 26.0.0 fixes the issue.

CWE CWE-79
Vendor haxtheweb
Product haxcms-nodejs
Published Jun 5, 2026
Last Updated Jun 9, 2026
Stay Ahead of the Next One

Get instant alerts for haxtheweb haxcms-nodejs

Be the first to know when new unknown vulnerabilities affecting haxtheweb haxcms-nodejs are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

Affected Versions

haxtheweb / haxcms-nodejs
< 26.0.0
haxtheweb / video-player
< 26.0.0
haxtheweb / iframe-loader
< 26.0.0

References

NVD β†— CVE.org β†— EPSS Data β†—
github.com: https://github.com/haxtheweb/issues/security/advisories/GHSA-jh3h-rpxg-fr36