HIGH
haxtheweb
CVE published 2026-05-29
CVE-2026-48527
A stored cross-site scripting (XSS) vulnerability in HAX CMS allows authenticated users with page editing permissions to bypass the HTML sanitizer by injecting event handler attributes without preceding whitespace. The vulnerability affects versions up to and including 26.0.0 across both PHP and Node.js backends. The issue resides in the `/system/api/saveNode` endpoint, where insufficient input validation [truncated]