GHSA-G2G8-95QG-V35H

Vulnerability from github – Published: 2026-05-29 14:07 – Updated: 2026-05-29 14:07
VLAI
Summary
HaxCMS has a stored Cross-Site Scripting (XSS) bypass in its saveNode endpoint
Details

Summary

HaxCMS is affected by a stored cross-site scripting (XSS) vulnerability in the /system/api/saveNode endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by injecting an event handler attribute without whitespace before the attribute name.

For example, the sanitizer misses:

<a href="#"onclick="alert('kn1ph')">click me</a>

The important bypass is:

href="#"onclick=

The payload is stored in the generated page files and executes when a user clicks the injected link.

Details

The issue is caused by regex-based HTML sanitization that expects whitespace before event handler attributes. Because the sanitizer expects a pattern like:

href="#" onclick="..."

It fails to remove an event handler when it is written without whitespace:

href="#"onclick="..."

Browsers still parse onclick as a valid event handler attribute, so the JavaScript executes when the element is clicked.

Affected endpoint:

POST /system/api/saveNode?site_token=[VALID_SITE_TOKEN]

Affected parameter:

node.body

PoC

  1. Log in to HaxCMS and edit any existing page.

  2. Capture the page save request in Burp Suite:

POST /system/api/saveNode?site_token=[VALID_SITE_TOKEN]
  1. In the JSON request body, modify only the node.body value.

Change:

"body":"...existing page content...\n"

To:

"body":"...existing page content...\n<a href=\"#\"onclick=\"alert('kn1ph')\">click me</a>\n"

  1. Forward the request.

  2. Open the edited page and click click me.

Result:

The JavaScript will execute and the alert will pop up.

It was confirmed that the payload is stored in the generated page files, including index.html.

Impact

An authenticated user with permissions to edit the page can inject stored JavaScript into the page content. If a privileged user interacts with the injected element while authenticated, the attacker controlled JavaScript will execute in that user’s browser.

Based on local testing, the XSS can access browser-exposed HaxCMS data such as localStorage.jwt and window.appSettings, including API paths and tokens available to the authenticated user.

This may allow an attacker to perform actions as the victim within the limits of the exposed tokens and the victim’s permissions and possibly chain more vulnerabilities.

Severity
8.7 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 26.0.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@haxtheweb/haxcms-nodejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48527"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-29T14:07:51Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nHaxCMS is affected by a stored cross-site scripting (XSS) vulnerability in the `/system/api/saveNode` endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by injecting an event handler attribute without whitespace before the attribute name.\n\nFor example, the sanitizer misses:\n\n```html\n\u003ca href=\"#\"onclick=\"alert(\u0027kn1ph\u0027)\"\u003eclick me\u003c/a\u003e\n```\n\nThe important bypass is:\n\n```html\nhref=\"#\"onclick=\n```\n\nThe payload is stored in the generated page files and executes when a user clicks the injected link.\n\n## Details\n\nThe issue is caused by regex-based HTML sanitization that expects whitespace before event handler attributes. Because the sanitizer expects a pattern like:\n\n```html\nhref=\"#\" onclick=\"...\"\n```\n\nIt fails to remove an event handler when it is written without whitespace:\n\n```html\nhref=\"#\"onclick=\"...\"\n```\n\nBrowsers still parse `onclick` as a valid event handler attribute, so the JavaScript executes when the element is clicked.\n\nAffected endpoint:\n\n```text\nPOST /system/api/saveNode?site_token=[VALID_SITE_TOKEN]\n```\n\nAffected parameter:\n\n```text\nnode.body\n```\n\n## PoC\n\n1. Log in to HaxCMS and edit any existing page.\n\n2. Capture the page save request in Burp Suite:\n\n```text\nPOST /system/api/saveNode?site_token=[VALID_SITE_TOKEN]\n```\n3. In the JSON request body, modify only the `node.body` value.\n\nChange:\n```json\n\"body\":\"...existing page content...\\n\"\n```\nTo:\n```json\n\"body\":\"...existing page content...\\n\u003ca href=\\\"#\\\"onclick=\\\"alert(\u0027kn1ph\u0027)\\\"\u003eclick me\u003c/a\u003e\\n\"\n```\n\n5. Forward the request.\n\n6. Open the edited page and click `click me`.\n\nResult:\n\nThe JavaScript will execute and the alert will pop up. \n\nIt was confirmed that the payload is stored in the generated page files, including `index.html`.\n\n## Impact\n\nAn authenticated user with permissions to edit the page can inject stored JavaScript into the page content. If a privileged user interacts with the injected element while authenticated, the attacker controlled JavaScript will execute in that user\u2019s browser.\n\nBased on local testing, the XSS can access browser-exposed HaxCMS data such as `localStorage.jwt` and `window.appSettings`, including API paths and tokens available to the authenticated user.\n\nThis may allow an attacker to perform actions as the victim within the limits of the exposed tokens and the victim\u2019s permissions and possibly chain more vulnerabilities.",
  "id": "GHSA-g2g8-95qg-v35h",
  "modified": "2026-05-29T14:07:51Z",
  "published": "2026-05-29T14:07:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-g2g8-95qg-v35h"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/haxtheweb/issues"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HaxCMS has a stored Cross-Site Scripting (XSS) bypass in its saveNode endpoint"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.