How is CVE-2026-46396 exploited?

Network reachability (required): The attacker must reach the HAX CMS service over the network to inject the malicious iframe payload into a stored page. Authentication (required): The attacker needs at least a low-privilege authenticated account to create or edit content and plant the malicious iframe. Victim interaction (required): A victim must navigate to or load the poisoned page in their browser for the injected javascript: URI to execute. Attack complexity (info): Exploitation is reliable and condition-free once the payload is stored; no race condition or special environmental state is required.

What is the impact of CVE-2026-46396?

Reads session tokens, authentication cookies, and any sensitive data exposed to client-side scripts in the victim's browser context. Performs actions as the victim user, including modifying or deleting CMS content under the victim's account. Achieves full account takeover by exfiltrating credentials or forging authenticated requests on behalf of the victim. Propagates the stored payload to every subsequent visitor of the affected page, multiplying impact across all users of the instance.

Back to search

CRITICALCVE-2026-46396Published 2026-06-05Modified 2026-06-05CNA GitHub_M

CVE-2026-46396: HAX CMS has a stored XSS via <iframe> that allows access to sensitive client-side data and account takeover

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of `<iframe>` elements. The application allows `javascript:` URIs in the `src` attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data exposed to client-side scripts. Version 26.0.0 fixes the issue.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 3

HarborGuard Analysis

Synopsis

Stored cross-site scripting (XSS) in HAX CMS allows an authenticated attacker to inject a malicious iframe element containing a javascript: URI into a page. When any victim with sufficient browser access views that page, the injected script executes in the victim's browser session. Successful exploitation gives the attacker full read and write access to data visible to client-side scripts, including session tokens, and allows account takeover. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability across affected image versions (haxcms-nodejs, video-player, and iframe-loader below 26.0.0).

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle any of the three affected packages.

Available

Triage

HarborGuard scores this CVE at CVSS 9.3 (Critical) and surfaces it with that severity weighting inside each customer organization; per-environment compliance policy rules further prioritize or filter the finding and route it to the appropriate team inbox for review.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment haxtheweb ships the corrective release. For customers with auto-remediation enabled, that rebuild triggers a regression run and a PR opened against affected workloads without any manual steps.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the HAX CMS service over the network to inject the malicious iframe payload into a stored page.
AuthenticationRequired
The attacker needs at least a low-privilege authenticated account to create or edit content and plant the malicious iframe.
Victim interactionRequired
A victim must navigate to or load the poisoned page in their browser for the injected javascript: URI to execute.
Attack complexityDetail
Exploitation is reliable and condition-free once the payload is stored; no race condition or special environmental state is required.

Blast Radius

Reads session tokens, authentication cookies, and any sensitive data exposed to client-side scripts in the victim's browser context.
Performs actions as the victim user, including modifying or deleting CMS content under the victim's account.
Achieves full account takeover by exfiltrating credentials or forging authenticated requests on behalf of the victim.
Propagates the stored payload to every subsequent visitor of the affected page, multiplying impact across all users of the instance.

How HarborGuard Handles This

Available on HarborGuard: the CVE is flagged immediately upon ingestion and matched against any image bundling haxcms-nodejs, video-player, or iframe-loader below version 26.0.0. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment the haxtheweb project publishes a corrective release. In the interim, compensating controls worth evaluating include network-policy isolation to restrict which users can reach the CMS authoring interface, egress filtering to block unauthorized data exfiltration from the application tier, and feature-flag or WAF rules that strip or reject iframe src values containing javascript: URIs at the ingress layer. For customers with auto-remediation enabled, the patched rebuild will trigger automatically alongside a regression run and a PR opened against affected workloads as soon as the upstream fix is confirmed.

See how HarborGuard automates this

Affected packages

haxtheweb / haxcms-nodejs
< 26.0.0
haxtheweb / video-player
< 26.0.0
haxtheweb / iframe-loader
< 26.0.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

References

https://github.com/haxtheweb/issues/security/advisories/GHSA-jh3h-rpxg-fr36

Metrics

Get notified