CVE Catalog

CVE-2026-46396

CriticalCVSS 9.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.05%

15th percentile — higher than 15% of all known CVEs

Summary

HAX CMS, which manages microsites with PHP or NodeJs backends, has a stored XSS vulnerability in versions prior to 26.0.0. The issue arises from improper sanitization of `<iframe>` elements, allowing execution of malicious JavaScript.

Risk Assessment

Attackers can execute arbitrary JavaScript in the context of the victim's browser, leading to exposure of sensitive data accessible to client-side scripts.

Recommendation

It is recommended to upgrade to version 26.0.0 or later to mitigate this vulnerability.

Original NVD description (English source)

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of `<iframe>` elements. The application allows `javascript:` URIs in the `src` attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data exposed to client-side scripts. Version 26.0.0 fixes the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS