GHSA-jh3h-rpxg-fr36
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jh3h-rpxg-fr36
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-jh3h-rpxg-fr36/GHSA-jh3h-rpxg-fr36.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-jh3h-rpxg-fr36
- Aliases
-
- CVE-2026-46396
- Published
- 2026-05-19T14:46:47Z
- Modified
- 2026-05-19T15:00:08.880504385Z
- Severity
-
- 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover
- Details
-
Summary
A stored cross-site scripting (XSS) vulnerability exists in HAX CMS due to improper sanitization of
<iframe>elements.The application allows
javascript:URIs in thesrcattribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data exposed to client-side scripts.Details
Successful exploitation allows access to any data available in the browser context, including:
- Authentication tokens (e.g., JWT)
- Session cookies (if not protected with HttpOnly)
- Application configuration (e.g., window.appSettings)
- User-specific data accessible via APIs
This significantly increases the impact beyond simple script execution.
PoC
Steps to reproduce:
- Log in to HAX CMS as any authenticated user.
- Create a new page or edit an existing page.
- Open the HTML source editor (
<>). - Insert the following payload:
<iframe srcdoc="<script> (function(){ try { var jwt = parent.window.appSettings.jwt; alert('Stolen JWT:\n' + jwt); } catch(e) { alert('Error: ' + e.message); } })(); </script>" style="display:none" sandbox="allow-scripts allow-same-origin"></iframe><img width="2446" height="1319" alt="image" src="https://github.com/user-attachments/assets/daea3b41-8c72-4f6c-ab32-34c688bbd251" />
<img width="2464" height="1397" alt="image" src="https://github.com/user-attachments/assets/911cbd42-db50-454a-b178-51555e0db79c" />
<img width="2466" height="1409" alt="webhook`" src="https://github.com/user-attachments/assets/8a286435-98f4-418c-a596-d0c19556696a" />
Impact
This vulnerability allows stored XSS leading to:
- Execution of arbitrary JavaScript in victim browsers
- Access to sensitive client-side data, including authentication tokens and session identifiers
- Unauthorized API actions performed on behalf of the victim
- Session hijacking and full account takeover
Because the application exposes authentication data in the client-side environment, exploitation of this vulnerability can lead to complete compromise of user accounts and site content.
- Database specific
{ "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2026-05-19T14:46:47Z", "nvd_published_at": null, "severity": "HIGH" }- References
Affected packages
npm / @haxtheweb/haxcms-nodejs
Package
- Name
- @haxtheweb/haxcms-nodejs
- View open source insights on deps.dev
- Purl
- pkg:npm/%40haxtheweb%2Fhaxcms-nodejs
npm / @haxtheweb/video-player
Package
- Name
- @haxtheweb/video-player
- View open source insights on deps.dev
- Purl
- pkg:npm/%40haxtheweb%2Fvideo-player
npm / @haxtheweb/iframe-loader
Package
- Name
- @haxtheweb/iframe-loader
- View open source insights on deps.dev
- Purl
- pkg:npm/%40haxtheweb%2Fiframe-loader