CVE-2026-22704

MEDIUM EPSS 59.6%
Published Jan 10, 20265mo ago · Modified Jun 17, 20261w ago
5.4 CVSS 3.1
Medium
Find Similar
Published Jan 10, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago

Description

HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead to account takeover. This issue has been patched in version 25.0.0.

CVSS Details

Base Score
5.4
Exploitability
2.3
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
59.6% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
psuhaxcms-nodejs11.0.6any

References 3

  • github.com https://github.com/haxtheweb/haxcms-nodejs/commit/317a8ae29f88be389f7cfeffaef416957122d97e
    Patch
  • github.com https://github.com/haxtheweb/haxcms-nodejs/releases/tag/v25.0.0
    Release Notes
  • github.com https://github.com/haxtheweb/issues/security/advisories/GHSA-3fm2-xfq7-7778
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/haxtheweb/haxcms-nodejs/commit/317a8ae29f88be389f7cfeffaef416957122d97e
    Patch