Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6Blast Radius
ecosystem impact- 24 npm packages depend on @haxtheweb/video-player (6 direct, 18 indirect)
Ecosystem-wide dependent count for version 26.0.0.
DescriptionGitHub Advisory
Summary
A stored cross-site scripting (XSS) vulnerability exists in HAX CMS due to improper sanitization of the <video-player> component.
The component allows javascript: URIs in the source attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data such as JWT tokens and more.
Details
The vulnerability is present in the <video-player> web component used within the HAX CMS editor.
The application fails to validate or sanitize user-supplied input in the following attributes:
sourcesource-data
These attributes accept arbitrary URI schemes, including javascript:, which leads to execution of attacker-controlled JavaScript in the browser.
Example vulnerable usage:
<video-player
source="javascript:alert(document.domain)"
source-type="external">
</video-player>Because this content is stored and rendered to other users, the vulnerability is classified as a stored XSS.
The root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering. Because this content is stored and rendered to other users, the vulnerability is classified as a stored XSS.
The root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering.
PoC
Steps to reproduce:
- Log in to HAX CMS as user.
- Create a website or any page and switch to the HTML source editor (
<>). - Insert the following payload:
<video-player source="javascript:alert('JWT: '+localStorage.getItem('jwt').substring(0,30))" source-type="external"></video-player><img width="2456" height="1405" alt="image" src="https://github.com/user-attachments/assets/ea037043-7ff7-4840-bed0-1091692c6289" />
Save the page.
Reload or revisit or send the page.
Result <img width="2468" height="1394" alt="image" src="https://github.com/user-attachments/assets/543bbf69-900d-4e2d-bd6b-0658fb5aa899" />
A JavaScript alert executes. The JWT token is exposed. This confirms arbitrary JavaScript execution in the victim’s browser.
Impact
This vulnerability allows stored XSS leading to:
- Theft of JWT authentication tokens
- Session hijacking
- Full account takeover
- Execution of arbitrary JavaScript in victim browsers
If an administrator views a malicious page, this can lead to full CMS compromise.
Attack complexity: Low Privileges required: Low (any authenticated user) User interaction: Required
AnalysisAI
Stored cross-site scripting in HAX CMS (npm packages @haxtheweb/haxcms-nodejs and @haxtheweb/video-player versions <= 25.0.0) allows any authenticated user to inject a <video-player> element whose source or source-data attribute carries a javascript: URI that executes when other users render the page. A public PoC in the vendor's GHSA advisory demonstrates JWT theft from localStorage, enabling session hijacking and full account takeover - especially severe when an administrator views the malicious page. No public exploit identified at time of analysis beyond the advisory PoC, and the issue is not listed in CISA KEV.
Technical ContextAI
HAX CMS is a headless, web-component-based content management system from The Pennsylvania State University's HAXTheWeb project, distributed as npm packages including @haxtheweb/haxcms-nodejs (the Node.js backend) and @haxtheweb/video-player (a Lit-based custom element). The root cause maps to CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the absence of URI-scheme validation on the source and source-data attributes of the <video-player> custom element. Because custom elements forward attribute values directly into DOM properties such as media src bindings, accepting the javascript: pseudo-scheme without an allowlist (e.g., http/https/data of safe MIME types) lets attacker-controlled script execute under the CMS origin, which holds the JWT used for authenticated CMS API calls.
RemediationAI
Vendor-released patch: upgrade @haxtheweb/haxcms-nodejs and @haxtheweb/video-player to 26.0.0 or later via npm install @haxtheweb/haxcms-nodejs@^26 @haxtheweb/video-player@^26 and redeploy the CMS, per advisory GHSA-2m6p-hm3w-6jm3 (https://github.com/haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3). If immediate upgrade is not possible, compensating controls include server-side sanitization of stored HTML to strip any <video-player> element whose source or source-data attribute does not start with http://, https://, or a vetted relative path (this will break legitimate non-HTTP sources), restricting the HTML source editor (<>) to highly trusted roles only to reduce the pool of potential injectors, and moving the JWT out of localStorage into an HttpOnly cookie so a successful XSS cannot trivially exfiltrate the session token (note: this requires CSRF protections and CMS code changes). A strict Content-Security-Policy that forbids inline script and disallows javascript: URIs (script-src 'self'; ... without unsafe-inline) will also neutralize the PoC, with the trade-off of breaking any HAX components that rely on inline handlers.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34892
GHSA-2m6p-hm3w-6jm3