CVE-2026-46511
HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSettings` endpoint allows an authenticated attacker to perform a complete cross-tenant account takeover. The API dynamically leaks the active session's authentication tokens (including the `jwt`, `user_token`, `site_token`, and `appstore_token`) into a global JavaScript variable (`window.appSettings`). An attacker can exploit the XSS vulnerability to force a victim's browser to silently fetch their specific connection settings, extract the tokens, and exfiltrate them to an attacker-controlled webhook. Version 26.0.0 patches the issue.
| CWE | CWE-79 CWE-522 CWE-922 |
| Vendor | haxtheweb |
| Product | haxcms-nodejs |
| Published | Jun 5, 2026 |
| Last Updated | Jun 8, 2026 |
Get instant alerts for haxtheweb haxcms-nodejs
Be the first to know when new unknown vulnerabilities affecting haxtheweb haxcms-nodejs are published โ delivered to Slack, Telegram or Discord.