πŸ” CVE Alert

CVE-2026-46496

UNKNOWN 0.0

HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the `<video-player>` component. The component allows `javascript:` URIs in the `source` attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data such as JWT tokens and more. Version 26.0.0 fixes the issue.

CWE CWE-79 CWE-116
Vendor haxtheweb
Product haxcms-nodejs
Published Jun 5, 2026
Last Updated Jun 5, 2026
Stay Ahead of the Next One

Get instant alerts for haxtheweb haxcms-nodejs

Be the first to know when new unknown vulnerabilities affecting haxtheweb haxcms-nodejs are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

Affected Versions

haxtheweb / haxcms-nodejs
< 26.0.0
haxtheweb / video-player
< 26.0.0

References

NVD β†— CVE.org β†— EPSS Data β†—
github.com: https://github.com/haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3