GHSA-JH3H-RPXG-FR36

Vulnerability from github – Published: 2026-05-19 14:46 – Updated: 2026-05-19 14:46
VLAI
Summary
Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover
Details

Summary

A stored cross-site scripting (XSS) vulnerability exists in HAX CMS due to improper sanitization of <iframe> elements.

The application allows javascript: URIs in the src attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data exposed to client-side scripts.

Details

Successful exploitation allows access to any data available in the browser context, including:

  • Authentication tokens (e.g., JWT)
  • Session cookies (if not protected with HttpOnly)
  • Application configuration (e.g., window.appSettings)
  • User-specific data accessible via APIs

This significantly increases the impact beyond simple script execution.

PoC

Steps to reproduce:

  1. Log in to HAX CMS as any authenticated user.
  2. Create a new page or edit an existing page.
  3. Open the HTML source editor (<>).
  4. Insert the following payload:
<iframe srcdoc="&lt;script&gt;
    (function(){
        try {
            var jwt = parent.window.appSettings.jwt;
            alert('Stolen JWT:\n' + jwt);
        } catch(e) {
            alert('Error: ' + e.message);
        }
    })();
&lt;/script&gt;" style="display:none" sandbox="allow-scripts allow-same-origin"></iframe>

image

image

webhook`

Impact

This vulnerability allows stored XSS leading to:

  • Execution of arbitrary JavaScript in victim browsers
  • Access to sensitive client-side data, including authentication tokens and session identifiers
  • Unauthorized API actions performed on behalf of the victim
  • Session hijacking and full account takeover

Because the application exposes authentication data in the client-side environment, exploitation of this vulnerability can lead to complete compromise of user accounts and site content.

Severity
8.6 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 25.0.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@haxtheweb/haxcms-nodejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 25.0.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@haxtheweb/video-player"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 25.0.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@haxtheweb/iframe-loader"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46396"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-19T14:46:47Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nA stored cross-site scripting (XSS) vulnerability exists in HAX CMS due to improper sanitization of `\u003ciframe\u003e` elements.\n\nThe application allows `javascript:` URIs in the `src` attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim\u2019s browser and access sensitive data exposed to client-side scripts.\n\n### Details\nSuccessful exploitation allows access to any data available in the browser context, including:\n\n- Authentication tokens (e.g., JWT)\n- Session cookies (if not protected with HttpOnly)\n- Application configuration (e.g., window.appSettings)\n- User-specific data accessible via APIs\n\nThis significantly increases the impact beyond simple script execution.\n\n### PoC\nSteps to reproduce:\n\n1. Log in to HAX CMS as any authenticated user.\n2. Create a new page or edit an existing page.\n3. Open the HTML source editor (`\u003c\u003e`).\n4. Insert the following payload:\n\n```html\n\u003ciframe srcdoc=\"\u0026lt;script\u0026gt;\n    (function(){\n        try {\n            var jwt = parent.window.appSettings.jwt;\n            alert(\u0027Stolen JWT:\\n\u0027 + jwt);\n        } catch(e) {\n            alert(\u0027Error: \u0027 + e.message);\n        }\n    })();\n\u0026lt;/script\u0026gt;\" style=\"display:none\" sandbox=\"allow-scripts allow-same-origin\"\u003e\u003c/iframe\u003e\n```\n\u003cimg width=\"2446\" height=\"1319\" alt=\"image\" src=\"https://github.com/user-attachments/assets/daea3b41-8c72-4f6c-ab32-34c688bbd251\" /\u003e\n\n\n\u003cimg width=\"2464\" height=\"1397\" alt=\"image\" src=\"https://github.com/user-attachments/assets/911cbd42-db50-454a-b178-51555e0db79c\" /\u003e\n\n\n\n\u003cimg width=\"2466\" height=\"1409\" alt=\"webhook`\" src=\"https://github.com/user-attachments/assets/8a286435-98f4-418c-a596-d0c19556696a\" /\u003e\n\n### Impact\nThis vulnerability allows stored XSS leading to:\n\n- Execution of arbitrary JavaScript in victim browsers\n- Access to sensitive client-side data, including authentication tokens and session identifiers\n- Unauthorized API actions performed on behalf of the victim\n- Session hijacking and full account takeover\n\nBecause the application exposes authentication data in the client-side environment, exploitation of this vulnerability can lead to complete compromise of user accounts and site content.",
  "id": "GHSA-jh3h-rpxg-fr36",
  "modified": "2026-05-19T14:46:47Z",
  "published": "2026-05-19T14:46:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-jh3h-rpxg-fr36"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/haxtheweb/issues"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Stored XSS via \u003ciframe\u003e in HAX CMS allows access to sensitive client-side data and account takeover"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.