Back

High-Severity Stored XSS Vulnerability in HAX CMS (CVE-2026-48527)

Severity: High (Score: 74.0)

Sources: cve.akaoma.com, www.thehackerwire.com, Feedly, euvd.enisa.europa.eu

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: cve-2026-48527, cross-site, scripting, stored, vulnerability, system, savenode

Severity indicators: vulnerability, vulnerabilities, issue, CVE:CVE-2026-48527, CVE:CVE-2026-48527, CVE:CVE-2026-48527

Summary

CVE-2026-48527 is a stored cross-site scripting (XSS) vulnerability in HAX CMS, affecting versions up to 26.0.0. The vulnerability exists in the `/system/api/saveNode` endpoint, where authenticated users with page editing permissions can bypass the HTML sanitizer. This allows them to inject malicious JavaScript that can execute in the browsers of users viewing the affected pages. The potential impact includes session hijacking, credential harvesting, and unauthorized actions on behalf of other users. Patches are available for Node.js and PHP versions of HAX CMS, specifically 26.0.1 and 26.0.2, respectively. As of now, there are no reports of active exploitation or public proof-of-concept exploits. Cybersecurity professionals consider this vulnerability an immediate threat requiring urgent mitigation. The CVSS base score assigned is 8.7, indicating high severity. Key Points: • CVE-2026-48527 is a high-severity stored XSS vulnerability in HAX CMS. • Authenticated users can exploit the vulnerability to inject malicious scripts. • Patches are available, and immediate action is recommended for affected users.

Detailed Analysis

**Impact** Authenticated users with page editing permissions on HAX CMS installations running versions up to 26.0.0 (Node.js and PHP backends) are affected. The vulnerability allows persistent injection of malicious JavaScript, risking session token theft, credential harvesting, unauthorized content modification, and actions performed on behalf of other users. No specific sectors, geographies, or exploitation incidents have been reported. The vulnerability poses a high risk to organizations relying on HAX CMS for microsite management. **Technical Details** The vulnerability (CVE-2026-48527, CVSS 8.7) is a stored cross-site scripting (XSS) flaw in the `/system/api/saveNode` endpoint. An authenticated user bypasses the HTML sanitizer by injecting an event handler attribute without whitespace before the attribute name, enabling script execution in the browsers of users viewing the affected pages. No public proof-of-concept exploits or indicators of compromise (IOCs) have been reported. The attack targets the delivery and exploitation stages of the kill chain. **Recommended Response** Apply the available patches immediately: update to @haxtheweb/haxcms-nodejs version 26.0.1 or haxcms-php version 26.0.2. Restrict page editing permissions to trusted users only and implement Content Security Policy (CSP) headers to mitigate script execution risks. Audit existing content for injected malicious code and monitor for unusual page modifications. No specific detection signatures or IOCs are currently available.

Source articles (4)

  • CVE-2026-48527 - Exploits & Severity — Feedly · 2026-05-29
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79) HAX CMS contains a stored cross-site scripting (XSS) vulnerability in the `/system/api/saveNode` endpoint.…
  • CVE-2026-48527 AKAOMA CVE VULNERABILITIES / 6h HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting (XSS) vulnerability in the `/system/api/saveNode` endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by injecting an event handler attribute without whitespace before the attribute name. @haxtheweb/haxcms-nodejs 26.0.1 and haxcms-php 26.0.2 patch the issue. — cve.akaoma.com · 2026-05-29
    8.7 /10 Severe Risk Cybersecurity professionals consider CVE-2026-48527 an immediate threat requiring urgent mitigation. Cybersecurity professionals consider CVE-2026-48527 an immediate threat requiri…
  • HAX CMS Stored XSS via Sanitizer Bypass (CVE-2026-48527) TheHackerWire / 6h CVE-2026-48527 identifies a high-severity (CVSS 8.7) stored cross-site scripting (XSS) vulnerability affecting HAX CMS, which supports both PHP and NodeJs backends. An attacker, having obtained authenticated access and page editing permissions, would craft a malicious input containing an event handler attribute. — www.thehackerwire.com · 2026-05-29
  • EUVD-2026-33286 EUVD - European Vulnerability Database / 6h EUVD Id : EUVD-2026-33286 Published : 2026-05-29 Updated 2026-05-29 Associated IDs : GHSA-g2g8-95qg-v35h, CVE-2026-48527 CVSS Base Score : 8.7 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Description HaxCMS has a stored Cross-Site Scripting (XSS) bypass in its saveNode endpoint Affected Vendors haxtheweb Affected products and versions Product: haxcms-nodejs - Version: Product: haxcms-php - Version: — euvd.enisa.europa.eu · 2026-05-29

Timeline

  • 2026-05-29 — CVE-2026-48527 published: HAX CMS vulnerability disclosed, affecting versions up to 26.0.0 with a CVSS score of 8.7.
  • 2026-05-29 — Patches released for HAX CMS: Updates to versions 26.0.1 for Node.js and 26.0.2 for PHP released to address the XSS vulnerability.

CVEs

  • CVE-2026-48527

Related entities

  • XSS (Vulnerability)
  • HAX CMS Stored XSS Via Sanitizer Bypass (Vulnerability)
  • Cwe-79 - Cross-site Scripting (xss) (Cwe)
  • HAX CMS (Platform)
  • NodeJS (Platform)
  • PHP (Platform)
  • Node.js (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed