HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft
Description
Summary
A stored cross-site scripting (XSS) vulnerability exists in HAX CMS due to improper sanitization of the `` component.
The component allows javascript: URIs in the source attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data such as JWT tokens and more.
Details
The vulnerability is present in the `` web component used within the HAX CMS editor.
The application fails to validate or sanitize user-supplied input in the following attributes: - source - source-data
These attributes accept arbitrary URI schemes, including javascript:, which leads to execution of attacker-controlled JavaScript in the browser.
Example vulnerable usage: ``html ``
Because this content is stored and rendered to other users, the vulnerability is classified as a stored XSS.
The root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering. Because this content is stored and rendered to other users, the vulnerability is classified as a stored XSS.
The root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering.
PoC
Steps to reproduce: 1. Log in to HAX CMS as user. 2. Create a website or any page and switch to the HTML source editor (<>). 3. Insert the following payload:
Save the page.
Reload or revisit or send the page.
Result
A JavaScript alert executes. The JWT token is exposed. This confirms arbitrary JavaScript execution in the victim’s browser.
Impact
This vulnerability allows stored XSS leading to:
- Theft of JWT authentication tokens
- Session hijacking
- Full account takeover
- Execution of arbitrary JavaScript in victim browsers
If an administrator views a malicious page, this can lead to full CMS compromise.
Attack complexity: Low Privileges required: Low (any authenticated user) User interaction: Required
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in HAX CMS's `` component via `javascript:` URIs allows arbitrary JavaScript execution and JWT token theft.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the ` web component of HAX CMS (all versions prior to the fix). The component fails to sanitize the source and source-data attributes, allowing arbitrary URI schemes such as javascript:` to be used. This allows an attacker to inject malicious JavaScript that is stored and later rendered to any user viewing the page.
Exploitation
An attacker must have a user account with permissions to create or edit pages in HAX CMS. The attacker inserts a malicious ` element via the HTML source editor, setting the source attribute to a javascript:` URI. After saving the page, any victim who visits the page triggers the JavaScript execution in their browser. No additional user interaction is required beyond viewing the page.
Impact
Successful exploitation leads to arbitrary JavaScript execution in the context of the victim's browser. The attacker can steal JWT tokens (obtained from localStorage), leading to session hijacking and full account takeover. If an administrator views the malicious page, the attacker can gain admin-level access.
Mitigation
HAX CMS has not yet released a patched version or workaround as of the publication date (2026-05-19). The GitHub advisory [2][3] recommends waiting for an official fix. No EOL or KEV listing has been announced. Users should monitor the HAX CMS issue queue [1] for updates.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.