PatchSiren cyber security CVE debrief
CVE-2026-48527 haxtheweb CVE debrief
A stored cross-site scripting (XSS) vulnerability in HAX CMS allows authenticated users with page editing permissions to bypass the HTML sanitizer by injecting event handler attributes without preceding whitespace. The vulnerability affects versions up to and including 26.0.0 across both PHP and Node.js backends. The issue resides in the `/system/api/saveNode` endpoint, where insufficient input validation permits malicious HTML attributes to persist in stored content. Successful exploitation requires authenticated access with edit permissions and user interaction with the crafted content, but can lead to session hijacking, credential theft, or administrative action under the victim's identity due to the stored nature of the payload. The CVSS 3.1 score of 8.7 reflects network attack vector, low attack complexity, required privileges, user interaction dependency, and high impacts to confidentiality and integrity with scope change. Patches are available: @haxtheweb/haxcms-nodejs version 26.0.1 and haxcms-php version 26.0.2. No known exploitation in the wild or ransomware campaign association has been reported.
- Vendor
- haxtheweb
- Product
- haxcms-nodejs
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running HAX CMS microsite deployments with multi-user editing environments; security teams managing content management system attack surface; developers maintaining HAX CMS instances or custom sanitizer implementations.
Technical summary
The `/system/api/saveNode` endpoint in HAX CMS fails to properly sanitize HTML event handler attributes when they are injected without whitespace preceding the attribute name. This parser edge case allows `on*` event handlers to evade the sanitizer, resulting in persistent JavaScript execution when the stored content is later rendered. The vulnerability requires authenticated access with edit permissions, limiting exposure to insider threats or compromised editor accounts. The fix in versions 26.0.1 (Node.js) and 26.0.2 (PHP) addresses the sanitizer bypass.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade @haxtheweb/haxcms-nodejs to version 26.0.1 or later
- Upgrade haxcms-php to version 26.0.2 or later
- Review and sanitize existing node content for unexpected event handler attributes
- Implement Content Security Policy headers to mitigate impact of any residual XSS vectors
- Audit user accounts with page editing permissions for suspicious activity
- Consider additional output encoding layers for dynamically rendered HTML content
Evidence notes
Vulnerability description and affected versions derived from official CVE record and GitHub Security Advisory. CVSS vector and score sourced from NVD metadata. Patch versions confirmed through advisory references. No KEV listing present.
Official resources
-
CVE-2026-48527 CVE record
CVE.org
-
CVE-2026-48527 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29