High severity8.7NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-48527

Description

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting (XSS) vulnerability in the /system/api/saveNode endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by injecting an event handler attribute without whitespace before the attribute name. @haxtheweb/haxcms-nodejs 26.0.1 and haxcms-php 26.0.2 patch the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

HAX CMS up to 26.0.0 has a stored XSS in /system/api/saveNode where an authenticated editor can bypass the HTML sanitizer by omitting whitespace before an event handler attribute.

Vulnerability

HAX CMS versions up to and including 26.0.0 are affected by a stored cross-site scripting (XSS) vulnerability in the /system/api/saveNode endpoint [2][3]. The issue stems from a regex-based HTML sanitizer that expects whitespace before event handler attributes (e.g., onclick, onload). When an attacker removes this whitespace—such as click me—the sanitizer fails to remove the event handler, but browsers still parse it as a valid attribute, leading to script execution [2][3]. Only authenticated users with page editing permissions can exploit this flaw [2][3]. Affected parameter: node.body in POST requests [2][3].

Exploitation

An attacker must have an authenticated HAX CMS session with permission to edit pages [2][3]. Using a tool like Burp Suite, the attacker captures the page save request to /system/api/saveNode?site_token=[VALID_SITE_TOKEN] and modifies the node.body value in the JSON body to include a crafted payload such as click me [2][3]. The sanitizer bypass occurs because the regex expects a space before the attribute name, which is omitted [2][3]. The payload is stored in the generated page files (e.g., index.html) and executes when any user clicks the injected link [2][3].

Impact

When a victim clicks the injected element, the attacker-controlled JavaScript runs in the victim's browser within the context of the HAX CMS site [2][3]. This can lead to theft of sensitive browser-accessible data, including localStorage.jwt and window.appSettings—which contain API paths and tokens available to the authenticated user [2][3]. Consequently, an attacker may be able to perform actions on behalf of the victim, such as modifying pages, reading protected content, or escalating privileges [2][3].

Mitigation

Patches are available: @haxtheweb/haxcms-nodejs version 26.0.1 and haxcms-php version 26.0.2 [2][3]. Users should upgrade to these versions immediately. If upgrading is not possible, administrators should restrict edit permissions to only trusted users and review custom sanitization logic for similar bypass patterns. No workaround that completely mitigates the risk without patching has been disclosed [2][3].

References

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

@haxtheweb/@haxtheweb/haxcms Nodejsinferred2 versions
<=26.0.0+ 1 more
- (no CPE)range: <=26.0.0
- (no CPE)range: <=26.0.0
Package: https://npmjs.com/package/@haxtheweb/haxcms-nodejs
Haxtheweb/HAX CMSllm-create
Range: <=26.0.0
Haxtheweb/haxcms-phpllm-create
Range: <=26.0.0
ghsa-coords
pkg:npm/%40haxtheweb/haxcms-nodejs
Range: < 26.0.1

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Regex-based HTML sanitizer expects whitespace before event handler attributes, allowing bypass when no whitespace is present."

Attack vector

An authenticated user with page-edit permissions sends a POST request to `/system/api/saveNode` with a crafted `node.body` value containing an event handler attribute that lacks whitespace before the attribute name (e.g., `onclick` directly adjacent to the preceding attribute). The regex-based sanitizer fails to strip the event handler because it expects a whitespace delimiter. When a victim clicks the injected element, the browser executes the JavaScript in the victim's session. [ref_id=1]

Affected code

The vulnerability resides in the `/system/api/saveNode` endpoint. The HTML sanitizer uses a regex that expects whitespace before event handler attributes, so a payload like `<a href="#"onclick="alert('kn1ph')">click me</a>` bypasses sanitization because there is no whitespace between the attribute and the event handler. The payload is stored in generated page files (e.g., `index.html`).

What the fix does

The advisory states that versions 26.0.1 (NodeJS) and 26.0.2 (PHP) patch the issue. The fix addresses the regex-based HTML sanitizer so that it correctly detects and removes event handler attributes even when no whitespace precedes the attribute name. Without the patch, the sanitizer's regex expects a whitespace boundary, allowing the bypass demonstrated in the advisory. [ref_id=1]

Preconditions

authAttacker must be authenticated to HaxCMS
authAttacker must have permission to edit pages
inputVictim must click the injected link element

Reproduction

1. Log in to HaxCMS and edit any existing page. 2. Capture the page save request in Burp Suite: `POST /system/api/saveNode?site_token=[VALID_SITE_TOKEN]`. 3. In the JSON request body, change `"body":"...existing page content...\n"` to `"body":"...existing page content...\n<a href=\"#\"onclick=\"alert('kn1ph')\">click me</a>\n"`. 4. Forward the request. 5. Open the edited page and click "click me". The JavaScript executes and an alert pops up. [ref_id=1]

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.565
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000