High severityOSV Advisory· Published Jan 10, 2026· Updated Jan 13, 2026
HAXcms Has Stored XSS Vulnerability that May Lead to Account Takeover
CVE-2026-22704
Description
HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead to account takeover. This issue has been patched in version 25.0.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@haxtheweb/haxcms-nodejsnpm | >= 11.0.6, < 25.0.0 | 25.0.0 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-3fm2-xfq7-7778ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-22704ghsaADVISORY
- github.com/haxtheweb/haxcms-nodejs/commit/317a8ae29f88be389f7cfeffaef416957122d97eghsax_refsource_MISCWEB
- github.com/haxtheweb/haxcms-nodejs/releases/tag/v25.0.0ghsax_refsource_MISCWEB
- github.com/haxtheweb/issuesghsaPACKAGE
- github.com/haxtheweb/issues/security/advisories/GHSA-3fm2-xfq7-7778ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.