CVE-2026-22704

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-22704

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22704.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-22704

Aliases

GHSA-3fm2-xfq7-7778

Published

2026-01-10T06:22:45.076Z

Modified

2026-02-06T21:34:40.073717Z

Severity

8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

HAXcms Has Stored XSS Vulnerability that May Lead to Account Takeover

Details

HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead to account takeover. This issue has been patched in version 25.0.0.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22704.json"
}

References

Affected packages

Git / github.com/haxtheweb/haxcms-nodejs

Affected ranges

Type: GIT
Repo: https://github.com/haxtheweb/haxcms-nodejs
Events: Introduced

d03eaf21de065a264dca98cf7a55c4716502de87

Fixed

1f361caf8f17b0547be9acc46a4e240ee5e1431b

Affected versions

v11.*

v11.0.10

v11.0.11

v11.0.12

v11.0.13

v11.0.14

v11.0.15

v11.0.6

v11.0.7

v11.0.8

v11.0.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22704.json"