EXECUTIVE SUMMARY:
[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
[emaillocker id="1283"]
CVE-2026-48527 with a CVSS score of 8.7 is a stored cross-site scripting vulnerability affecting HaxCMS. The flaw arises from a regex-based HTML sanitizer that expects whitespace before event-handler attributes; by omitting the space, an attacker can inject malicious JavaScript that bypasses sanitization and is saved to page content through the /system/api/saveNode endpoint. Exploitation requires network access, low attack complexity, and low privileges, as an authenticated user with page-edit permissions and a valid site token can submit a crafted request containing malicious content. When a victim interacts with the compromised page, the injected script executes within the victims browser context, potentially exposing sensitive browser-accessible data such as authentication tokens and application settings while enabling unauthorized actions within the victims permission scope. The business impact includes token theft, unauthorized API activity, data exfiltration, and reputational damage, particularly in environments where privileged users frequently access HaxCMS-managed sites. Successful exploitation depends on the attacker obtaining editing privileges and convincing a victim to interact with the malicious content.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-g2g8-95qg-v35h
[/emaillocker]