VYPR
Critical severityGHSA Advisory· Published Jun 5, 2026· Updated Jun 5, 2026

CVE-2026-46496

CVE-2026-46496

Description

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the ` component. The component allows javascript: URIs in the source` attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data such as JWT tokens and more. Version 26.0.0 fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@haxtheweb/haxcms-nodejsnpm
< 26.0.026.0.0
@haxtheweb/video-playernpm
< 26.0.026.0.0

Affected products

1

Patches

Vulnerability mechanics

References

4

News mentions

1