PatchSiren cyber security CVE debrief
CVE-2026-46496 haxtheweb CVE debrief
A stored cross-site scripting (XSS) vulnerability exists in HAX CMS versions prior to 26.0.0. The vulnerability is caused by improper sanitization of the `<video-player>` component, which allows `javascript:` URIs in the `source` attribute. These URIs are executed when the page is viewed, enabling attackers to execute arbitrary JavaScript in the context of the victim's browser. This allows access to sensitive data such as JWT tokens. The issue is fixed in version 26.0.0.
- Vendor
- haxtheweb
- Product
- haxcms-nodejs
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-05
Who should care
Users of HAX CMS versions prior to 26.0.0 should update to version 26.0.0 or later to mitigate this vulnerability.
Technical summary
The vulnerability has a CVSS score of 9.3 and is classified as CRITICAL. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
This vulnerability is considered high priority for users of HAX CMS versions prior to 26.0.0.
Recommended defensive actions
- Update to version 26.0.0 or later
Evidence notes
The vulnerability is caused by improper sanitization of the `<video-player>` component.
Official resources
-
CVE-2026-46496 CVE record
CVE.org
-
CVE-2026-46496 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-46496 was published on 2026-06-05T19:16:34.113Z and modified on 2026-06-05T20:17:34.710Z.