CVE-2026-46396

CVE-2026-46396 is a high-severity cross-site scripting (XSS) vulnerability in @haxtheweb/haxcms-nodejs (npm), affecting versions <= 25.0.0. It is fixed in 26.0.0.

Summary

A stored cross-site scripting (XSS) vulnerability exists in HAX CMS due to improper sanitization of <iframe> elements.

The application allows javascript: URIs in the src attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data exposed to client-side scripts.

Details

Successful exploitation allows access to any data available in the browser context, including:

  • Authentication tokens (e.g., JWT)
  • Session cookies (if not protected with HttpOnly)
  • Application configuration (e.g., window.appSettings)
  • User-specific data accessible via APIs

This significantly increases the impact beyond simple script execution.

PoC

Steps to reproduce:

  1. Log in to HAX CMS as any authenticated user.
  2. Create a new page or edit an existing page.
  3. Open the HTML source editor (<>).
  4. Insert the following payload:
<iframe srcdoc="&lt;script&gt;
    (function(){
        try {
            var jwt = parent.window.appSettings.jwt;
            alert('Stolen JWT:\n' + jwt);
        } catch(e) {
            alert('Error: ' + e.message);
        }
    })();
&lt;/script&gt;" style="display:none" sandbox="allow-scripts allow-same-origin"></iframe>

Impact

This vulnerability allows stored XSS leading to:

  • Execution of arbitrary JavaScript in victim browsers
  • Access to sensitive client-side data, including authentication tokens and session identifiers
  • Unauthorized API actions performed on behalf of the victim
  • Session hijacking and full account takeover

Because the application exposes authentication data in the client-side environment, exploitation of this vulnerability can lead to complete compromise of user accounts and site content.

Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.

Affected versions

@haxtheweb/haxcms-nodejs (<= 25.0.0) @haxtheweb/video-player (<= 25.0.0) @haxtheweb/iframe-loader (<= 25.0.0)

Security releases

@haxtheweb/haxcms-nodejs → 26.0.0 (npm) @haxtheweb/video-player → 26.0.0 (npm) @haxtheweb/iframe-loader → 26.0.0 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

@haxtheweb/haxcms-nodejs to 26.0.0 or later; @haxtheweb/video-player to 26.0.0 or later; @haxtheweb/iframe-loader to 26.0.0 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-46396? CVE-2026-46396 is a high-severity cross-site scripting (XSS) vulnerability in @haxtheweb/haxcms-nodejs (npm), affecting versions <= 25.0.0. It is fixed in 26.0.0. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
  2. Which packages are affected by CVE-2026-46396?
    • @haxtheweb/haxcms-nodejs (npm) (versions <= 25.0.0)
    • @haxtheweb/video-player (npm) (versions <= 25.0.0)
    • @haxtheweb/iframe-loader (npm) (versions <= 25.0.0)
  3. Is there a fix for CVE-2026-46396? Yes. CVE-2026-46396 is fixed in 26.0.0. Upgrade to this version or later.
  4. Is CVE-2026-46396 exploitable, and should I be worried? Whether CVE-2026-46396 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-46396 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-46396?
    • Upgrade @haxtheweb/haxcms-nodejs to 26.0.0 or later
    • Upgrade @haxtheweb/video-player to 26.0.0 or later
    • Upgrade @haxtheweb/iframe-loader to 26.0.0 or later

Other vulnerabilities in @haxtheweb/haxcms-nodejs

CVE-2026-48527CVE-2026-46357CVE-2026-46511CVE-2026-46396CVE-2026-46395

Stop the waste.
Protect your environment with Kodem.