Critical severityGHSA Advisory· Published Jun 5, 2026· Updated Jun 5, 2026
CVE-2026-46496
CVE-2026-46496
Description
HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the ` component. The component allows javascript: URIs in the source` attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data such as JWT tokens and more. Version 26.0.0 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@haxtheweb/haxcms-nodejsnpm | < 26.0.0 | 26.0.0 |
@haxtheweb/video-playernpm | < 26.0.0 | 26.0.0 |
Affected products
1Patches
Vulnerability mechanics
References
4News mentions
1- HAX CMS: 15 Vulnerabilities Disclosed Together on June 5, 2026Vypr Intelligence · Jun 5, 2026