PatchSiren cyber security CVE debrief
CVE-2026-46511 haxtheweb CVE debrief
CVE-2026-46511 is a HIGH-severity vulnerability in HAX CMS, a microsite universe management system, which allows an authenticated attacker to perform a complete cross-tenant account takeover. The vulnerability, patched in version 26.0.0, involves an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSettings` endpoint.
- Vendor
- haxtheweb
- Product
- haxcms-nodejs
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-08
Who should care
Users of HAX CMS, especially those with administrative access, should be aware of this vulnerability and ensure they are running version 26.0.0 or later to prevent potential cross-tenant account takeovers.
Technical summary
The vulnerability in HAX CMS arises from an attack chain that combines Stored XSS with dynamic token exposure. An authenticated attacker can exploit this by forcing a victim's browser to fetch their specific connection settings, extract tokens (including `jwt`, `user_token`, `site_token`, and `appstore_token`), and exfiltrate them to an attacker-controlled webhook. This allows for a complete cross-tenant account takeover.
Defensive priority
HIGH
Recommended defensive actions
- Update HAX CMS to version 26.0.0 or later.
- Review and restrict access to the `/system/api/connectionSettings` endpoint.
- Implement additional security measures to detect and prevent XSS attacks.
Evidence notes
CVE-2026-46511 has a CVSS score of 8.7 and is considered HIGH severity. It was published on 2026-06-05 and modified on 2026-06-08.
Official resources
-
CVE-2026-46511 CVE record
CVE.org
-
CVE-2026-46511 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-46511 was published on 2026-06-05 and modified on 2026-06-08.