QSearchQSearch

CVE-2026-46511

HAX CMS helps manage microsite universe with PHP or NodeJs backends

Published: 2026-06-05 · Last updated: 2026-06-08

Severity and scoring

CWE
CWE-522, CWE-79, CWE-922

Description

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSettings` endpoint allows an authenticated attacker to perform a complete cross-tenant account takeover. The API dynamically leaks the active session's authentication tokens (including the `jwt`, `user_token`, `site_token`, and `appstore_token`) into a global JavaScript variable (`window.appSettings`). An attacker can exploit the XSS vulnerability to force a victim's browser to silently fetch their specific connection settings, extract the tokens, and exfiltrate them to an attacker-controlled webhook. Version 26.0.0 patches the issue.

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-2827 The Open User Map PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'oum_location_notification' parameter in ... (4.7 MEDIUM)
  • CVE-2026-42558 Xibo is an open source digital signage platform with a web content management system and Windows display player software (7.6 HIGH)
  • CVE-2026-53742 Simple Link Directory through 9.0.4 echoes embed shortcode attributes into HTML data attributes without escaping in the embedder template (5.4 MEDIUM)
  • CVE-2026-53741 Simple Link Directory through 9.0.4 interpolates the sld_no_results_found option into a JavaScript string literal without encoding (5.4 MEDIUM)
  • CVE-2026-53740 Yoast Duplicate Post through 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice (5.4 MEDIUM)