CVE-2026-46496 (GCVE-0-2026-46496)
Vulnerability from cvelistv5 – Published: 2026-06-05 18:46 – Updated: 2026-06-05 19:10
VLAI
Title
HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft
Summary
HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the `<video-player>` component. The component allows `javascript:` URIs in the `source` attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data such as JWT tokens and more. Version 26.0.0 fixes the issue.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/haxtheweb/issues/security/advi… | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| haxtheweb | haxcms-nodejs |
Affected:
< 26.0.0
|
|
| haxtheweb | video-player |
Affected:
< 26.0.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46496",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T19:10:37.350920Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T19:10:41.697Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "haxcms-nodejs",
"vendor": "haxtheweb",
"versions": [
{
"status": "affected",
"version": "\u003c 26.0.0"
}
]
},
{
"product": "video-player",
"vendor": "haxtheweb",
"versions": [
{
"status": "affected",
"version": "\u003c 26.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the `\u003cvideo-player\u003e` component. The component allows `javascript:` URIs in the `source` attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim\u2019s browser and access sensitive data such as JWT tokens and more. Version 26.0.0 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T18:46:36.822Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3"
}
],
"source": {
"advisory": "GHSA-2m6p-hm3w-6jm3",
"discovery": "UNKNOWN"
},
"title": "HAX CMS: Stored XSS via \u0027\u003cvideo-player\u003e\u0027 component allows arbitrary JavaScript execution and token theft"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46496",
"datePublished": "2026-06-05T18:46:36.822Z",
"dateReserved": "2026-05-14T18:06:06.811Z",
"dateUpdated": "2026-06-05T19:10:41.697Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-46496",
"date": "2026-06-06",
"epss": "0.00047",
"percentile": "0.14881"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-46496\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-05T19:16:34.113\",\"lastModified\":\"2026-06-05T20:17:34.710\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the `\u003cvideo-player\u003e` component. The component allows `javascript:` URIs in the `source` attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim\u2019s browser and access sensitive data such as JWT tokens and more. Version 26.0.0 fixes the issue.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"},{\"lang\":\"en\",\"value\":\"CWE-116\"}]}],\"references\":[{\"url\":\"https://github.com/haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-46496\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-05T19:10:37.350920Z\"}}}], \"references\": [{\"url\": \"https://github.com/haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-05T19:10:23.519Z\"}}], \"cna\": {\"title\": \"HAX CMS: Stored XSS via \u0027\u003cvideo-player\u003e\u0027 component allows arbitrary JavaScript execution and token theft\", \"source\": {\"advisory\": \"GHSA-2m6p-hm3w-6jm3\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 9.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"haxtheweb\", \"product\": \"haxcms-nodejs\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 26.0.0\"}]}, {\"vendor\": \"haxtheweb\", \"product\": \"video-player\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 26.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3\", \"name\": \"https://github.com/haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the `\u003cvideo-player\u003e` component. The component allows `javascript:` URIs in the `source` attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim\\u2019s browser and access sensitive data such as JWT tokens and more. Version 26.0.0 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-116\", \"description\": \"CWE-116: Improper Encoding or Escaping of Output\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-05T18:46:36.822Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-46496\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-05T19:10:41.697Z\", \"dateReserved\": \"2026-05-14T18:06:06.811Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-05T18:46:36.822Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-46496
Vulnerability from fkie_nvd - Published: 2026-06-05 19:16 - Updated: 2026-06-05 20:17
Severity
Summary
HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the `<video-player>` component. The component allows `javascript:` URIs in the `source` attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data such as JWT tokens and more. Version 26.0.0 fixes the issue.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the `\u003cvideo-player\u003e` component. The component allows `javascript:` URIs in the `source` attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim\u2019s browser and access sensitive data such as JWT tokens and more. Version 26.0.0 fixes the issue."
}
],
"id": "CVE-2026-46496",
"lastModified": "2026-06-05T20:17:34.710",
"metrics": {
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-06-05T19:16:34.113",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-116"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-2M6P-HM3W-6JM3
Vulnerability from github – Published: 2026-05-19 14:44 – Updated: 2026-05-19 14:44
VLAI
Summary
HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft
Details
Summary
A stored cross-site scripting (XSS) vulnerability exists in HAX CMS due to improper sanitization of the <video-player> component.
The component allows javascript: URIs in the source attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data such as JWT tokens and more.
Details
The vulnerability is present in the <video-player> web component used within the HAX CMS editor.
The application fails to validate or sanitize user-supplied input in the following attributes:
- source
- source-data
These attributes accept arbitrary URI schemes, including javascript:, which leads to execution of attacker-controlled JavaScript in the browser.
Example vulnerable usage:
<video-player
source="javascript:alert(document.domain)"
source-type="external">
</video-player>
Because this content is stored and rendered to other users, the vulnerability is classified as a stored XSS.
The root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering. Because this content is stored and rendered to other users, the vulnerability is classified as a stored XSS.
The root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering.
PoC
Steps to reproduce:
1. Log in to HAX CMS as user.
2. Create a website or any page and switch to the HTML source editor (<>).
3. Insert the following payload:
<video-player source="javascript:alert('JWT: '+localStorage.getItem('jwt').substring(0,30))" source-type="external"></video-player>
Save the page.
Reload or revisit or send the page.
Result
A JavaScript alert executes. The JWT token is exposed. This confirms arbitrary JavaScript execution in the victim’s browser.
Impact
This vulnerability allows stored XSS leading to:
- Theft of JWT authentication tokens
- Session hijacking
- Full account takeover
- Execution of arbitrary JavaScript in victim browsers
If an administrator views a malicious page, this can lead to full CMS compromise.
Attack complexity: Low
Privileges required: Low (any authenticated user)
User interaction: Required
Severity
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 25.0.0"
},
"package": {
"ecosystem": "npm",
"name": "@haxtheweb/haxcms-nodejs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.0.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 25.0.0"
},
"package": {
"ecosystem": "npm",
"name": "@haxtheweb/video-player"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46496"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T14:44:34Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nA stored cross-site scripting (XSS) vulnerability exists in HAX CMS due to improper sanitization of the `\u003cvideo-player\u003e` component.\n\nThe component allows `javascript:` URIs in the `source` attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim\u2019s browser and access sensitive data such as JWT tokens and more.\n\n### Details\nThe vulnerability is present in the `\u003cvideo-player\u003e` web component used within the HAX CMS editor.\n\nThe application fails to validate or sanitize user-supplied input in the following attributes:\n- `source`\n- `source-data`\n\nThese attributes accept arbitrary URI schemes, including `javascript:`, which leads to execution of attacker-controlled JavaScript in the browser.\n\nExample vulnerable usage:\n```html\n\u003cvideo-player \n source=\"javascript:alert(document.domain)\" \n source-type=\"external\"\u003e\n\u003c/video-player\u003e\n```\n\n\nBecause this content is stored and rendered to other users, the vulnerability is classified as a stored XSS.\n\nThe root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering.\nBecause this content is stored and rendered to other users, the vulnerability is classified as a stored XSS.\n\nThe root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering.\n\n\n### PoC\n\nSteps to reproduce:\n1. Log in to HAX CMS as user.\n2. Create a website or any page and switch to the HTML source editor (`\u003c\u003e`).\n3. Insert the following payload:\n\n```html\n\u003cvideo-player source=\"javascript:alert(\u0027JWT: \u0027+localStorage.getItem(\u0027jwt\u0027).substring(0,30))\" source-type=\"external\"\u003e\u003c/video-player\u003e\n```\n\u003cimg width=\"2456\" height=\"1405\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ea037043-7ff7-4840-bed0-1091692c6289\" /\u003e\n\n\nSave the page.\n\nReload or revisit or send the page.\n\nResult\n\u003cimg width=\"2468\" height=\"1394\" alt=\"image\" src=\"https://github.com/user-attachments/assets/543bbf69-900d-4e2d-bd6b-0658fb5aa899\" /\u003e\n\n\nA JavaScript alert executes.\nThe JWT token is exposed.\nThis confirms arbitrary JavaScript execution in the victim\u2019s browser.\n\n\n### Impact\n\nThis vulnerability allows stored XSS leading to:\n\n- Theft of JWT authentication tokens \n- Session hijacking\n- Full account takeover\n- Execution of arbitrary JavaScript in victim browsers\n\nIf an administrator views a malicious page, this can lead to full CMS compromise.\n\nAttack complexity: Low \nPrivileges required: Low (any authenticated user) \nUser interaction: Required",
"id": "GHSA-2m6p-hm3w-6jm3",
"modified": "2026-05-19T14:44:34Z",
"published": "2026-05-19T14:44:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3"
},
{
"type": "PACKAGE",
"url": "https://github.com/haxtheweb/issues"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "HAX CMS: Stored XSS via \u0027\u003cvideo-player\u003e\u0027 component allows arbitrary JavaScript execution and token theft"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…