top of page
perceptive_background_267k.jpg

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting (XSS) vul…

Published:

28 mei 2026 om 22:00:00

Alert date:

29 mei 2026 om 14:01:48

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies

HAX CMS versions up to 26.0.0 contain a stored cross-site scripting vulnerability in the /system/api/saveNode endpoint. Authenticated users with page editing permissions can bypass HTML sanitization by injecting event handler attributes without whitespace before the attribute name. This affects both PHP and NodeJs backends. The vulnerability has been patched in haxcms-nodejs 26.0.1 and haxcms-php 26.0.2.

Technical details

Mitigation steps:

Affected products:

HAX CMS
haxcms-nodejs
haxcms-php

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-48527
https://github.com/haxtheweb/issues/security/advisories/GHSA-g2g8-95qg-v35h

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page