GHSA-2M6P-HM3W-6JM3
Vulnerability from github – Published: 2026-05-19 14:44 – Updated: 2026-05-19 14:44Summary
A stored cross-site scripting (XSS) vulnerability exists in HAX CMS due to improper sanitization of the <video-player> component.
The component allows javascript: URIs in the source attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data such as JWT tokens and more.
Details
The vulnerability is present in the <video-player> web component used within the HAX CMS editor.
The application fails to validate or sanitize user-supplied input in the following attributes:
- source
- source-data
These attributes accept arbitrary URI schemes, including javascript:, which leads to execution of attacker-controlled JavaScript in the browser.
Example vulnerable usage:
<video-player
source="javascript:alert(document.domain)"
source-type="external">
</video-player>
Because this content is stored and rendered to other users, the vulnerability is classified as a stored XSS.
The root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering. Because this content is stored and rendered to other users, the vulnerability is classified as a stored XSS.
The root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering.
PoC
Steps to reproduce:
1. Log in to HAX CMS as user.
2. Create a website or any page and switch to the HTML source editor (<>).
3. Insert the following payload:
<video-player source="javascript:alert('JWT: '+localStorage.getItem('jwt').substring(0,30))" source-type="external"></video-player>
Save the page.
Reload or revisit or send the page.
Result
A JavaScript alert executes. The JWT token is exposed. This confirms arbitrary JavaScript execution in the victim’s browser.
Impact
This vulnerability allows stored XSS leading to:
- Theft of JWT authentication tokens
- Session hijacking
- Full account takeover
- Execution of arbitrary JavaScript in victim browsers
If an administrator views a malicious page, this can lead to full CMS compromise.
Attack complexity: Low
Privileges required: Low (any authenticated user)
User interaction: Required
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 25.0.0"
},
"package": {
"ecosystem": "npm",
"name": "@haxtheweb/haxcms-nodejs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.0.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 25.0.0"
},
"package": {
"ecosystem": "npm",
"name": "@haxtheweb/video-player"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46496"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T14:44:34Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nA stored cross-site scripting (XSS) vulnerability exists in HAX CMS due to improper sanitization of the `\u003cvideo-player\u003e` component.\n\nThe component allows `javascript:` URIs in the `source` attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim\u2019s browser and access sensitive data such as JWT tokens and more.\n\n### Details\nThe vulnerability is present in the `\u003cvideo-player\u003e` web component used within the HAX CMS editor.\n\nThe application fails to validate or sanitize user-supplied input in the following attributes:\n- `source`\n- `source-data`\n\nThese attributes accept arbitrary URI schemes, including `javascript:`, which leads to execution of attacker-controlled JavaScript in the browser.\n\nExample vulnerable usage:\n```html\n\u003cvideo-player \n source=\"javascript:alert(document.domain)\" \n source-type=\"external\"\u003e\n\u003c/video-player\u003e\n```\n\n\nBecause this content is stored and rendered to other users, the vulnerability is classified as a stored XSS.\n\nThe root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering.\nBecause this content is stored and rendered to other users, the vulnerability is classified as a stored XSS.\n\nThe root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering.\n\n\n### PoC\n\nSteps to reproduce:\n1. Log in to HAX CMS as user.\n2. Create a website or any page and switch to the HTML source editor (`\u003c\u003e`).\n3. Insert the following payload:\n\n```html\n\u003cvideo-player source=\"javascript:alert(\u0027JWT: \u0027+localStorage.getItem(\u0027jwt\u0027).substring(0,30))\" source-type=\"external\"\u003e\u003c/video-player\u003e\n```\n\u003cimg width=\"2456\" height=\"1405\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ea037043-7ff7-4840-bed0-1091692c6289\" /\u003e\n\n\nSave the page.\n\nReload or revisit or send the page.\n\nResult\n\u003cimg width=\"2468\" height=\"1394\" alt=\"image\" src=\"https://github.com/user-attachments/assets/543bbf69-900d-4e2d-bd6b-0658fb5aa899\" /\u003e\n\n\nA JavaScript alert executes.\nThe JWT token is exposed.\nThis confirms arbitrary JavaScript execution in the victim\u2019s browser.\n\n\n### Impact\n\nThis vulnerability allows stored XSS leading to:\n\n- Theft of JWT authentication tokens \n- Session hijacking\n- Full account takeover\n- Execution of arbitrary JavaScript in victim browsers\n\nIf an administrator views a malicious page, this can lead to full CMS compromise.\n\nAttack complexity: Low \nPrivileges required: Low (any authenticated user) \nUser interaction: Required",
"id": "GHSA-2m6p-hm3w-6jm3",
"modified": "2026-05-19T14:44:34Z",
"published": "2026-05-19T14:44:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3"
},
{
"type": "PACKAGE",
"url": "https://github.com/haxtheweb/issues"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "HAX CMS: Stored XSS via \u0027\u003cvideo-player\u003e\u0027 component allows arbitrary JavaScript execution and token theft"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.