CVE-2026-48527: HAX CMS Stored XSS in Page Editor API
HAX CMS, a platform for managing distributed microsites with PHP or Node.js backends, contains a stored cross-site scripting (XSS) flaw in its page-editing API. Authenticated users with page-editing permissions can inject malicious scripts that persist in the system by circumventing the HTML sanitizer through a specific formatting bypass. Once stored, these scripts execute in the browsers of other users who view the affected pages, potentially stealing credentials, hijacking sessions, or defacing content.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.7 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting (XSS) vulnerability in the `/system/api/saveNode` endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by injecting an event handler attribute without whitespace before the attribute name. @haxtheweb/haxcms-nodejs 26.0.1 and haxcms-php 26.0.2 patch the issue.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the `/system/api/saveNode` endpoint of HAX CMS versions up to 26.0.0. The HTML sanitizer can be bypassed by injecting event handler attributes formatted without whitespace between the attribute name and the preceding element. This allows an authenticated attacker to store arbitrary JavaScript within page content. When other users—including administrators—access these pages, the injected script executes in their browser context with the privileges of the authenticated session. The issue stems from insufficient input validation in the sanitization routine that handles user-supplied HTML.
Business impact
This vulnerability enables stored XSS attacks that can compromise the integrity and confidentiality of microsite content and user sessions. An attacker with editorial access could inject scripts to harvest credentials from administrators, redirect site visitors to malicious domains, exfiltrate sensitive data, or maintain persistent backdoor access through session hijacking. For organizations operating multiple microsites on a shared HAX CMS instance, a single compromised editor account could affect all hosted properties. Reputational damage and regulatory compliance issues may arise if customer data or site integrity is compromised.
Affected systems
HAX CMS versions 26.0.0 and earlier running either the PHP backend (@haxtheweb/haxcms-php) or Node.js backend (@haxtheweb/haxcms-nodejs) are affected. The vulnerability requires an authenticated user with page-editing permissions, so it is not exploitable by unauthenticated actors. Organizations should inventory all HAX CMS deployments and determine the current version of each backend runtime in use.
Exploitability
The vulnerability requires authenticated access with page-editing capabilities, which limits the attack surface to trusted users or accounts obtained through credential compromise. However, the barrier to exploitation is low once authentication is achieved: no special tooling or complex techniques are needed to craft the malicious payload. The stored nature of the XSS means the attack persists and affects all subsequent users who view the compromised page, including high-privilege administrators. This elevates risk in multi-user or multi-tenant deployments where account compromise is a realistic threat.
Remediation
Upgrade to @haxtheweb/haxcms-nodejs version 26.0.1 or haxcms-php version 26.0.2 or later. These versions include an improved HTML sanitizer that properly validates and rejects event handler attributes formatted without whitespace. After patching, review access logs and page content for evidence of stored XSS payloads that may have been injected before the update. Consider rotating credentials for any accounts that had editing permissions during the exposure window, particularly for high-privilege users.
Patch guidance
Prioritize patching based on deployment scope and role sensitivity. For production microsites handling user data or serving external customers, treat this as urgent and plan an update within the next maintenance window. For internal-only or low-risk microsites, updates should be completed within 30 days. Follow the vendor's release notes for any breaking changes or compatibility considerations when upgrading from 26.0.0 to 26.0.1 (Node.js) or 26.0.2 (PHP). Test the patched environment thoroughly in a staging environment before deployment to production. If immediate patching is not feasible, restrict page-editing permissions to a minimal set of highly trusted administrators and implement network-level monitoring for suspicious API activity on the `/system/api/saveNode` endpoint.
Detection guidance
Monitor the `/system/api/saveNode` endpoint for POST requests containing event handler attributes (onclick, onload, onerror, onmouseover, etc.) or unusual HTML entities and formatting patterns in request payloads. Review page-revision history and audit logs for unexpected content modifications by authenticated users. Use a Web Application Firewall (WAF) or API gateway to block requests containing common XSS patterns and event handler syntax. Implement Content Security Policy (CSP) headers to mitigate the impact of any injected scripts. Search stored page content in the database for suspicious JavaScript patterns or event handlers that may indicate successful exploitation prior to patching.
Why prioritize this
With a CVSS 3.1 score of 8.7 (HIGH severity), this vulnerability merits prompt attention. While authentication is required, the stored XSS nature means attacks persist and affect multiple users. The high impact score reflects the risk of credential theft and session hijacking. The availability of patches for both backend variants allows for straightforward remediation without architectural changes. Organizations should treat this as a medium-priority fix in standard change-management cycles, elevated to urgent if they operate customer-facing or high-value microsites or have evidence of compromised editorial accounts.
Risk score, explained
The CVSS 3.1 score of 8.7 reflects: (1) network-accessible API endpoint (AV:N); (2) low complexity of exploitation once authenticated (AC:L); (3) requirement for valid credentials with editing privilege (PR:L); (4) user interaction needed for payload execution via page view (UI:R); (5) scope change as the script executes in other users' browser contexts (S:C); (6) high impact on confidentiality through credential/session theft and high impact on integrity through content manipulation (C:H, I:H); (7) no direct impact on availability (A:N). The HIGH classification reflects the combination of persistence, cross-user impact, and the sensitivity of the affected data.
Frequently asked questions
Do we need to patch if we restrict editing permissions to a small, trusted team?
Restricting editing permissions reduces risk but does not eliminate it. Compromised credentials, insider threats, or privilege escalation could still lead to exploitation. Patching is still necessary to fully close the vulnerability, even in tightly controlled environments.
Can we use a Web Application Firewall to protect against this vulnerability without patching immediately?
A WAF can provide temporary mitigation by filtering requests with event handler patterns, but it is not a substitute for patching. WAF rules may have false positives or be bypassed by obfuscated payloads. Patching should remain the primary goal within your change-management timeline.
How do we know if we were exploited before patching?
Review page-revision audit logs and database backups for unexpected content changes by authorized accounts, especially during periods of unusual activity. Search page content for embedded JavaScript, event handlers, and suspicious HTML entities. Check web server and API logs for unusual POST activity on the `/system/api/saveNode` endpoint from unexpected source IPs or at off-hours.
Are there any version-specific patch URLs or download locations?
Verify patch availability and download links directly from the HAX CMS GitHub releases page or official vendor advisory. The patched versions are @haxtheweb/haxcms-nodejs 26.0.1 and haxcms-php 26.0.2. Always download from official sources and verify cryptographic signatures if available.
This analysis is provided for informational purposes to support vulnerability assessment and remediation planning. It does not constitute professional security advice. Organizations should conduct their own risk assessment and testing before applying patches or implementing mitigations. Version numbers, patch information, and vendor details referenced herein are based on the source data provided and should be verified against official vendor advisories and release notes. No guarantee is made regarding the completeness or accuracy of detection and remediation guidance, which may vary based on specific deployment configurations. Always consult the vendor documentation and engage qualified security professionals for guidance specific to your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-11262HIGHLink Whisper Free Stored XSS Vulnerability – Analysis & Patch Guidance
- CVE-2025-14773HIGHABB T-MAC Plus XSS Vulnerability – HIGH Risk Assessment
- CVE-2025-15654HIGHFox-themes Prague Reflected XSS Vulnerability – CVSS 7.1 (HIGH)
- CVE-2025-52759HIGHReflected XSS in UnboundStudio Accordion FAQ Plugin (Versions ≤2.2.1)
- CVE-2025-67448HIGHNeterbit NW-431F Router SMS Stored XSS Vulnerability (CVSS 7.1)
- CVE-2026-2374HIGHLogin No Captcha reCAPTCHA WordPress Plugin Stored XSS Vulnerability
- CVE-2026-24751HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)
- CVE-2026-24752HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)