HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46511Published Modified CNA GitHub_M

CVE-2026-46511: HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSettings` endpoint allows an authenticated attacker to perform a complete cross-tenant account takeover. The API dynamically leaks the active session's authentication tokens (including the `jwt`, `user_token`, `site_token`, and `appstore_token`) into a global JavaScript variable (`window.appSettings`). An attacker can exploit the XSS vulnerability to force a victim's browser to silently fetch their specific connection settings, extract the tokens, and exfiltrate them to an attacker-controlled webhook. Version 26.0.0 patches the issue.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a stored cross-site scripting (XSS) combined with token-leaking API vulnerability in HAXcms (both the Node.js and PHP backends). An authenticated attacker with any low-privilege account plants a malicious script that, when a victim loads the affected page, silently calls the /system/api/connectionSettings endpoint and extracts four authentication tokens exposed in the global window.appSettings JavaScript variable. Successful exploitation gives the attacker full control of the victim's session, enabling complete cross-tenant account takeover. No fix has been published yet; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle HAXcms Node.js or PHP packages. Any image containing an affected version of haxcms-nodejs or haxcms-php is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 8.7 (High, v4.0) and weighting it against each environment's compliance policy to determine urgency. Routed findings can be directed to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment HAXcms ships a remediated release. In the meantime, compensating controls such as network-policy isolation of the HAXcms service, egress filtering to block outbound webhook calls from container workloads, and disabling the /system/api/connectionSettings endpoint at the ingress layer can be applied while awaiting an upstream patch.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the HAXcms service over the network to plant the stored XSS payload and to trigger the /system/api/connectionSettings token-leaking endpoint.

  • AuthenticationRequired

    Any low-privilege account is sufficient; the attacker only needs a valid login to inject the malicious script into stored content.

  • Victim interactionNot required

    No victim interaction beyond normal browsing is needed; the malicious script executes silently when a victim loads the page containing the injected payload.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race conditions, memory layout dependencies, or special environmental factors are required to complete the attack chain.

Blast Radius

  • Reads all four active session authentication tokens (jwt, user_token, site_token, and appstore_token) from the victim's browser and exfiltrates them to an attacker-controlled endpoint.
  • Takes over the victim's authenticated session, giving the attacker the same privileges as the compromised account across all tenants accessible to that account.
  • Modifies or deletes site content and configuration within any tenant the victim can access, because the stolen tokens authenticate all write operations.
  • Crashes or corrupts microsite environments the victim manages by issuing authenticated destructive API calls using the exfiltrated tokens.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-46511, HarborGuard continuously monitors the advisory and will make a patched-image rebuild available as soon as HAXcms version 26.0.0 or a later remediated release is published. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point. While awaiting the upstream patch, HarborGuard can surface this finding for manual compensating-control review. Recommended interim controls include isolating HAXcms container workloads behind a network policy that blocks unsolicited egress, applying ingress-layer rules that restrict access to the /system/api/connectionSettings endpoint to trusted internal callers only, and reviewing stored content for injected scripts. For customers whose compliance policy flags unpatched High-severity issues for escalation, this CVE will route to the designated security inbox automatically.

See how HarborGuard automates this
Affected packages
  • haxtheweb / haxcms-nodejs
    < 26.0.0
  • haxtheweb / haxcms-php
    < 26.0.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References