High severityOSV Advisory· Published Jan 10, 2026· Updated Jan 13, 2026
HAXcms Has Stored XSS Vulnerability that May Lead to Account Takeover
CVE-2026-22704
Description
HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead to account takeover. This issue has been patched in version 25.0.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@haxtheweb/haxcms-nodejsnpm | >= 11.0.6, < 25.0.0 | 25.0.0 |
Affected products
1- Range: v11.0.10, v11.0.11, v11.0.12, …
Patches
1317a8ae29f88issues-ghsa-3fm2-xfq7-7778
1 file changed · +8 −0
src/app.js+8 −0 modified@@ -76,6 +76,14 @@ if (process.env.NODE_ENV === "development") { app.use(express.urlencoded({limit: '50mb', extended: false, parameterLimit: 50000 })); app.use(helmet(helmetPolicies)); app.use(cookieParser()); + +// Security: Force download of HTML files in sites' files directories to prevent XSS +app.use((req, res, next) => { + if (req.url.includes('/files/') && /\.html?$/i.test(req.url.split('?')[0])) { + res.setHeader('Content-Disposition', 'attachment'); + } + next(); +}); //pre-flight requests app.options('*', function(req, res, next) { res.sendStatus(200);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-3fm2-xfq7-7778ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-22704ghsaADVISORY
- github.com/haxtheweb/haxcms-nodejs/commit/317a8ae29f88be389f7cfeffaef416957122d97eghsax_refsource_MISCWEB
- github.com/haxtheweb/haxcms-nodejs/releases/tag/v25.0.0ghsax_refsource_MISCWEB
- github.com/haxtheweb/issues/security/advisories/GHSA-3fm2-xfq7-7778ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.