PatchSiren cyber security CVE debrief
CVE-2026-46396 haxtheweb CVE debrief
A stored cross-site scripting (XSS) vulnerability exists in HAX CMS versions prior to 26.0.0. The vulnerability is caused by improper sanitization of `<iframe>` elements, allowing `javascript:` URIs in the `src` attribute. This enables attackers to execute arbitrary JavaScript in the context of the victim's browser and access sensitive data exposed to client-side scripts. The vulnerability has a CVSS score of 9.3 and is considered CRITICAL.
- Vendor
- haxtheweb
- Product
- haxcms-nodejs
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-09
Who should care
Users of HAX CMS versions prior to 26.0.0 should update to version 26.0.0 or later to fix the issue.
Technical summary
The application allows `javascript:` URIs in the `src` attribute of `<iframe>` elements, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim's browser and access sensitive data exposed to client-side scripts.
Defensive priority
HIGH
Recommended defensive actions
- Update to version 26.0.0 or later
Evidence notes
The vulnerability is fixed in version 26.0.0.
Official resources
-
CVE-2026-46396 CVE record
CVE.org
-
CVE-2026-46396 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-46396 was published on [cvePublishedAt] and modified on [cveModifiedAt].