CVE-2026-46511
HighCVSS 8.7Exploitation Probability (EPSS)
Low risk19th percentile - higher than 19% of all known CVEs
Summary
HAX CMS prior to version 26.0.0 had a Stored XSS vulnerability that, combined with dynamic token exposure in the `/system/api/connectionSettings` endpoint, allowed an authenticated attacker to perform a complete account takeover of other users. The attacker could exploit this vulnerability to steal session tokens from the victim's browser.
Risk Assessment
Organizations using HAX CMS are at risk of complete user account takeover, which can lead to data loss and privacy breaches. An attacker could gain access to sensitive information and resources.
Recommendation
It is recommended to update HAX CMS to version 26.0.0 or later to mitigate this vulnerability. Additionally, conducting a security audit of the application and monitoring user activity is advisable.
Original NVD description (English source)
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSettings` endpoint allows an authenticated attacker to perform a complete cross-tenant account takeover. The API dynamically leaks the active session's authentication tokens (including the `jwt`, `user_token`, `site_token`, and `appstore_token`) into a global JavaScript variable (`window.appSettings`). An attacker can exploit the XSS vulnerability to force a victim's browser to silently fetch their specific connection settings, extract the tokens, and exfiltrate them to an attacker-controlled webhook. Version 26.0.0 patches the issue.

