CVE-2026-48527

HIGH NVD

CVSS Score 8.7

Severity HIGH

Published May 29, 2026

Vendor unknown

Description

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting (XSS) vulnerability in the `/system/api/saveNode` endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by injecting an event handler attribute without whitespace before the attribute name. @haxtheweb/haxcms-nodejs 26.0.1 and haxcms-php 26.0.2 patch the issue.

References

https://github.com/haxtheweb/issues/security/advisories/GHSA-g2g8-95qg-v35h
https://github.com/haxtheweb/issues/security/advisories/GHSA-g2g8-95qg-v35h