CVE-2026-46396
CriticalCVSS 9.3Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
HAX CMS, which manages microsites with PHP or NodeJs backends, has a stored XSS vulnerability in versions prior to 26.0.0. The issue arises from improper sanitization of `<iframe>` elements, allowing execution of malicious JavaScript.
Risk Assessment
Attackers can execute arbitrary JavaScript in the context of the victim's browser, leading to exposure of sensitive data accessible to client-side scripts.
Recommendation
It is recommended to upgrade to version 26.0.0 or later to mitigate this vulnerability.
Original NVD description (English source)
HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of `<iframe>` elements. The application allows `javascript:` URIs in the `src` attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data exposed to client-side scripts. Version 26.0.0 fixes the issue.

