HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46496Published Modified CNA GitHub_M

CVE-2026-46496: HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the `<video-player>` component. The component allows `javascript:` URIs in the `source` attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data such as JWT tokens and more. Version 26.0.0 fixes the issue.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Stored cross-site scripting (XSS) in HAX CMS allows an attacker with a low-privilege account to inject malicious JavaScript into the `<video-player>` component by supplying a `javascript:` URI in the `source` attribute. The vulnerability is reachable over the network and triggers when any victim views the affected page, requiring no further attacker interaction after the payload is planted. Successful exploitation gives the attacker arbitrary JavaScript execution in the victim's browser, enabling theft of JWT tokens and other sensitive session data, as well as tampering with page content in the victim's session. No upstream fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as a fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-46496 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images incorporating haxcms-nodejs or video-player packages. Any image layer containing an affected version of either package is flagged automatically in the pipeline scan results.

Available
Triage

Triage is available with the full CVSS v4.0 score of 9.3 (Critical) surfaced alongside per-environment compliance policy weighting, so teams with stricter policies on third-party CMS components receive elevated priority routing. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment haxtheweb ships a remediated release of haxcms-nodejs or video-player. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically once a fix version becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the HAX CMS instance over the network to plant the stored payload, and victims must be able to load the affected page from their browser.

  • AuthenticationRequired

    The attacker needs at least a low-privilege account on the HAX CMS instance to create or edit content containing the malicious `<video-player>` component.

  • Victim interactionRequired

    A victim must view the page containing the injected payload for the JavaScript to execute in their browser session.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout dependencies, or other environmental prerequisites.

Blast Radius

  • Reads JWT tokens and session credentials stored in the victim's browser, enabling account takeover or authenticated API access as that user.
  • Executes arbitrary JavaScript in the victim's browser context, allowing the attacker to exfiltrate any data visible on the page including customer records or configuration details.
  • Modifies page content rendered in the victim's session, enabling phishing flows or redirection to attacker-controlled infrastructure.
  • Propagates impact to downstream systems (SC:H, SI:H) if stolen tokens carry elevated privileges or cross-service authentication rights within the same trust boundary.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the CVE-2026-46496 advisory is active, with re-ingestion on every feed cycle so that the moment haxtheweb publishes a fix for haxcms-nodejs or video-player, a patched-image rebuild becomes available automatically. Because no fix version exists today, recommended compensating controls include applying network-policy isolation to restrict which authenticated roles can create or edit video-player components, enabling egress filtering on CMS containers to limit the reach of any injected payload, and using a Content Security Policy header that blocks `javascript:` URI execution as a browser-level defense. For customers who opt into auto-remediation, the full rebuild-plus-regression-run-plus-PR flow will activate as soon as an upstream fix is ingested, with a typical median time from CVE fix publication to merged patch PR of around 90 minutes for Critical-severity issues in environments with auto-remediation enabled.

See how HarborGuard automates this
Affected packages
  • haxtheweb / haxcms-nodejs
    < 26.0.0
  • haxtheweb / video-player
    < 26.0.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
References