logo

Database

Server side cross-site scripting In @haxtheweb/haxcms-nodejs

Description

HAX CMS: Stored XSS via '' component allows arbitrary JavaScript execution and token theft

Summary

A stored cross-site scripting (XSS) vulnerability exists in HAX CMS due to improper sanitization of the <video-player> component.

The component allows javascript: URIs in the source attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data such as JWT tokens and more.

Details

The vulnerability is present in the <video-player> web component used within the HAX CMS editor.

The application fails to validate or sanitize user-supplied input in the following attributes:

    source

    source-data

These attributes accept arbitrary URI schemes, including javascript:, which leads to execution of attacker-controlled JavaScript in the browser.

Example vulnerable usage:

<video-player 
  source="javascript:alert(document.domain)" 
  source-type="external">
</video-player>

Because this content is stored and rendered to other users, the vulnerability is classified as a stored XSS.

The root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering. Because this content is stored and rendered to other users, the vulnerability is classified as a stored XSS.

The root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering.

PoC

Steps to reproduce:

    Log in to HAX CMS as user.

    Create a website or any page and switch to the HTML source editor (<>).

    Insert the following payload:

<video-player source="javascript:alert('JWT: '+localStorage.getItem('jwt').substring(0,30))" source-type="external"></video-player>
image

Save the page.

Reload or revisit or send the page.

Result image

A JavaScript alert executes. The JWT token is exposed. This confirms arbitrary JavaScript execution in the victim’s browser.

Impact

This vulnerability allows stored XSS leading to:

    Theft of JWT authentication tokens

    Session hijacking

    Full account takeover

    Execution of arbitrary JavaScript in victim browsers

If an administrator views a malicious page, this can lead to full CMS compromise.

Attack complexity: Low
Privileges required: Low (any authenticated user)
User interaction: Required

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-464962. NVD-2026-464963. OSV-2026-464964. GHSA-2m6p-hm3w-6jm35. GCVE-2026-46496

References

1. https://github.com/haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.