HAX CMS: Headless Authoring, Headless Admins
Jan 13, 2026·5 min read·5 visits
Executive Summary (TL;DR)
HAX CMS allowed users to upload arbitrary HTML files which were served from the same origin as the admin panel. By tricking an admin into opening a malicious file, an attacker could abuse the Same-Origin Policy to steal JWTs via the `haxcms_refresh_token` cookie. Fixed in v25.0.0 by forcing downloads for HTML files.
A high-severity Stored XSS vulnerability in HAX CMS allowed attackers to upload malicious HTML files that, when viewed by an administrator, automatically harvested session tokens and granted full account takeover.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
haxcms-nodejs haxtheweb | >= 11.0.6 < 25.0.0 | 25.0.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-79 (Improper Neutralization of Input During Web Page Generation) |
| CVSS v3.1 | 8.1 (High) |
| Attack Vector | Network |
| Privileges Required | Low (User capable of uploading files) |
| Impact | Account Takeover (JWT Theft) |
| EPSS Score | 0.041% |
MITRE ATT&CK Mapping
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.