CVE-2026-46511 HIGH

CVE-2026-46511: HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack

Vendor Haxtheweb
Product haxcms-nodejs
Weakness CWE-79 · XSS
Published June 5, 2026
Last update June 8, 2026
View on NVD All CVEs

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSettings` endpoint allows an authenticated attacker to perform a complete cross-tenant account takeover. The API dynamically leaks the active session's authentication tokens (including the `jwt`, `user_token`, `site_token`, and `appstore_token`) into a global JavaScript variable (`window.appSettings`). An attacker can exploit the XSS vulnerability to force a victim's browser to silently fetch their specific connection settings, extract the tokens, and exfiltrate them to an attacker-controlled webhook. Version 26.0.0 patches the issue.

Key dates

02Disclosure timeline

June 5, 2026 CVE published
June 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-27959 WordPress APIExperts Square for WooCommerce plugin <= 4.2.9 - Cross Site Scripting (XSS) vulnerability CVE-2026-33245 React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets CVE-2025-40721 Reflected Cross-site Scripting (XSS) vulnerability in Quiter Gateway CVE-2024-11914 Gutenberg Blocks and Page Layouts – Attire Blocks <= 1.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-31501