How is CVE-2026-48527 exploited?

Network reachability (required): The attacker must reach the HaxCMS saveNode endpoint over the network, typically the same exposure surface as the CMS admin UI. Authentication (required): A low-privilege account with permission to edit pages is sufficient; no admin role is needed. Victim interaction (required): A separate user must load the page containing the injected event handler for the stored payload to execute. Attack complexity (info): AC:L indicates the sanitizer bypass is reliable once the malformed attribute syntax is known.

What is the impact of CVE-2026-48527?

Executes attacker-controlled JavaScript in the browser of any user who views the poisoned page, under that user's HaxCMS session. Reads session cookies, auth tokens, and any CMS content the victim can access. Performs authenticated writes as the victim, including editing other pages, escalating the stored payload to additional viewers, or changing account settings exposed to their role. Scope change (S:C) means the impact extends beyond the CMS into other origins the victim's browser trusts, such as embedded admin tooling on the same site.

Back to search

HIGHCVE-2026-48527Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-48527: HaxCMS has a stored Cross-Site Scripting (XSS) bypass in saveNode endpoint

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting (XSS) vulnerability in the `/system/api/saveNode` endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by injecting an event handler attribute without whitespace before the attribute name. @haxtheweb/haxcms-nodejs 26.0.1 and haxcms-php 26.0.2 patch the issue.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Stored cross-site scripting in HaxCMS lets an authenticated editor bypass the HTML sanitizer in the /system/api/saveNode endpoint by omitting whitespace before an event handler attribute. Exploitation requires a low-privilege account with page-edit permission and a victim who views the poisoned page, after which attacker-supplied JavaScript runs in the victim's browser session with full read and write access to their HaxCMS context. Patched-image rebuilds at haxcms-nodejs 26.0.1 and haxcms-php 26.0.2 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment. The advisory is ingested from upstream feeds within minutes of publication and matched against haxcms-nodejs and haxcms-php layers in customer registries and build pipelines, including custom-built images that vendor these packages.

Available

Triage

Triage is available with the published CVSS 3.1 score of 8.7 (High) applied to each finding and re-weighted by each customer's compliance policy. Findings route to the appropriate inbox inside each customer org based on image ownership and environment tier.

Available

Patch

Patched-image rebuilds at haxcms-nodejs 26.0.1 and haxcms-php 26.0.2 are available on HarborGuard for affected environments. Customers with auto-remediation enabled get a rebuilt image, a regression-test run, and a PR opened against workloads pinned to the vulnerable versions.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the HaxCMS saveNode endpoint over the network, typically the same exposure surface as the CMS admin UI.
AuthenticationRequired
A low-privilege account with permission to edit pages is sufficient; no admin role is needed.
Victim interactionRequired
A separate user must load the page containing the injected event handler for the stored payload to execute.
Attack complexityDetail
AC:L indicates the sanitizer bypass is reliable once the malformed attribute syntax is known.

Blast Radius

Executes attacker-controlled JavaScript in the browser of any user who views the poisoned page, under that user's HaxCMS session.
Reads session cookies, auth tokens, and any CMS content the victim can access.
Performs authenticated writes as the victim, including editing other pages, escalating the stored payload to additional viewers, or changing account settings exposed to their role.
Scope change (S:C) means the impact extends beyond the CMS into other origins the victim's browser trusts, such as embedded admin tooling on the same site.

How HarborGuard Handles This

Available on HarborGuard: matching of haxcms-nodejs and haxcms-php layers against this advisory within minutes of publication, with patched-image rebuilds at 26.0.1 (nodejs) and 26.0.2 (php) generated for affected environments. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the fix version, runs the regression suite, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy gates automatic merges, the rebuilt image and diff are staged for review in the customer's triage inbox.

See how HarborGuard automates this

CVSS v3.1: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 2

Affected packages

haxtheweb / haxcms-nodejs
< 26.0.1
haxtheweb / haxcms-php
< 26.0.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

References

https://github.com/haxtheweb/issues/security/advisories/GHSA-g2g8-95qg-v35h