Skip to main content

HAX CMS CVE-2026-46496

| EUVDEUVD-2026-34892 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-05-19 https://github.com/haxtheweb/issues GHSA-2m6p-hm3w-6jm3
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 05, 2026 - 19:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 05, 2026 - 19:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 05, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Jun 05, 2026 - 19:22 NVD
9.3 (CRITICAL)
Source Code Evidence Fetched
May 19, 2026 - 15:33 vuln.today
Analysis Generated
May 19, 2026 - 15:33 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 24 npm packages depend on @haxtheweb/video-player (6 direct, 18 indirect)

Ecosystem-wide dependent count for version 26.0.0.

DescriptionGitHub Advisory

Summary

A stored cross-site scripting (XSS) vulnerability exists in HAX CMS due to improper sanitization of the <video-player> component.

The component allows javascript: URIs in the source attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data such as JWT tokens and more.

Details

The vulnerability is present in the <video-player> web component used within the HAX CMS editor.

The application fails to validate or sanitize user-supplied input in the following attributes:

  • source
  • source-data

These attributes accept arbitrary URI schemes, including javascript:, which leads to execution of attacker-controlled JavaScript in the browser.

Example vulnerable usage:

html
<video-player
  source="javascript:alert(document.domain)"
  source-type="external">
</video-player>

Because this content is stored and rendered to other users, the vulnerability is classified as a stored XSS.

The root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering. Because this content is stored and rendered to other users, the vulnerability is classified as a stored XSS.

The root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering.

PoC

Steps to reproduce:

  1. Log in to HAX CMS as user.
  2. Create a website or any page and switch to the HTML source editor (<>).
  3. Insert the following payload:
html
<video-player source="javascript:alert('JWT: '+localStorage.getItem('jwt').substring(0,30))" source-type="external"></video-player>

<img width="2456" height="1405" alt="image" src="https://github.com/user-attachments/assets/ea037043-7ff7-4840-bed0-1091692c6289" />

Save the page.

Reload or revisit or send the page.

Result <img width="2468" height="1394" alt="image" src="https://github.com/user-attachments/assets/543bbf69-900d-4e2d-bd6b-0658fb5aa899" />

A JavaScript alert executes. The JWT token is exposed. This confirms arbitrary JavaScript execution in the victim’s browser.

Impact

This vulnerability allows stored XSS leading to:

  • Theft of JWT authentication tokens
  • Session hijacking
  • Full account takeover
  • Execution of arbitrary JavaScript in victim browsers

If an administrator views a malicious page, this can lead to full CMS compromise.

Attack complexity: Low Privileges required: Low (any authenticated user) User interaction: Required

AnalysisAI

Stored cross-site scripting in HAX CMS (npm packages @haxtheweb/haxcms-nodejs and @haxtheweb/video-player versions <= 25.0.0) allows any authenticated user to inject a <video-player> element whose source or source-data attribute carries a javascript: URI that executes when other users render the page. A public PoC in the vendor's GHSA advisory demonstrates JWT theft from localStorage, enabling session hijacking and full account takeover - especially severe when an administrator views the malicious page. No public exploit identified at time of analysis beyond the advisory PoC, and the issue is not listed in CISA KEV.

Technical ContextAI

HAX CMS is a headless, web-component-based content management system from The Pennsylvania State University's HAXTheWeb project, distributed as npm packages including @haxtheweb/haxcms-nodejs (the Node.js backend) and @haxtheweb/video-player (a Lit-based custom element). The root cause maps to CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the absence of URI-scheme validation on the source and source-data attributes of the <video-player> custom element. Because custom elements forward attribute values directly into DOM properties such as media src bindings, accepting the javascript: pseudo-scheme without an allowlist (e.g., http/https/data of safe MIME types) lets attacker-controlled script execute under the CMS origin, which holds the JWT used for authenticated CMS API calls.

RemediationAI

Vendor-released patch: upgrade @haxtheweb/haxcms-nodejs and @haxtheweb/video-player to 26.0.0 or later via npm install @haxtheweb/haxcms-nodejs@^26 @haxtheweb/video-player@^26 and redeploy the CMS, per advisory GHSA-2m6p-hm3w-6jm3 (https://github.com/haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3). If immediate upgrade is not possible, compensating controls include server-side sanitization of stored HTML to strip any <video-player> element whose source or source-data attribute does not start with http://, https://, or a vetted relative path (this will break legitimate non-HTTP sources), restricting the HTML source editor (<>) to highly trusted roles only to reduce the pool of potential injectors, and moving the JWT out of localStorage into an HttpOnly cookie so a successful XSS cannot trivially exfiltrate the session token (note: this requires CSRF protections and CMS code changes). A strict Content-Security-Policy that forbids inline script and disallows javascript: URIs (script-src 'self'; ... without unsafe-inline) will also neutralize the PoC, with the trade-off of breaking any HAX components that rely on inline handlers.

Share

CVE-2026-46496 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy