CVE-2026-22704 – HAX CMS versions 11.0.6 through 24.x are vulner... (How to Fix)

Q: What is the severity of CVE-2026-22704?

CVE-2026-22704 has a CVSS score of 8.0 (HIGH). HAX CMS versions 11.0.6 through 24.x are vulnerable to stored cross-site scripting (XSS), allowing attackers to inject malicious scripts that persist in the CMS. When executed, these scripts could lead to account takeover by stealing session cookies or credentials. This affects all HAX CMS deployments using vulnerable versions.

📋 TL;DR

HAX CMS versions 11.0.6 through 24.x are vulnerable to stored cross-site scripting (XSS), allowing attackers to inject malicious scripts that persist in the CMS. When executed, these scripts could lead to account takeover by stealing session cookies or credentials. This affects all HAX CMS deployments using vulnerable versions.

💻 Affected Systems

Products:

HAX CMS

Versions: 11.0.6 to 24.x

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both PHP and Node.js backend implementations of HAX CMS.

📦 What is this software?

Haxcms Nodejs by Psu

View all CVEs affecting Haxcms Nodejs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of administrator accounts leading to full site takeover, data theft, and further malware deployment.

🟠

Likely Case

Session hijacking leading to unauthorized content modification, privilege escalation, or data exfiltration.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place, potentially only affecting non-critical user data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Stored XSS typically requires some level of content creation access, but could be exploited through compromised accounts or social engineering.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 25.0.0

Vendor Advisory: https://github.com/haxtheweb/issues/security/advisories/GHSA-3fm2-xfq7-7778

Restart Required: Yes

Instructions:

1. Backup your HAX CMS installation and database. 2. Update to version 25.0.0 via package manager or manual download. 3. Restart the web server/service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Input Sanitization

all

Implement strict input validation and output encoding for all user-controllable fields

Content Security Policy

all

Deploy a strict Content Security Policy to mitigate XSS impact

Add 'Content-Security-Policy: default-src 'self'; script-src 'self';' to HTTP headers

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads
Disable user content creation features until patching is possible

🔍 How to Verify

Check if Vulnerable:

Check HAX CMS version in admin panel or package.json file

Check Version:

grep '"version"' package.json

Verify Fix Applied:

Confirm version is 25.0.0 or higher and test XSS payloads are properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual content creation/modification patterns
Suspicious script tags in content submissions

Network Indicators:

Unexpected external script loads from CMS pages
Suspicious cookie/session activity

SIEM Query:

source="web_logs" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2026-22704

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-79

EPSS Score: 0.01% exploit probability (2.3th percentile)

Published: January 10, 2026

Last Updated: February 5, 2026

🔗 References

https://github.com/haxtheweb/haxcms-nodejs/commit/317a8ae29f88be389f7cfeffaef416957122d97e Patch
https://github.com/haxtheweb/haxcms-nodejs/releases/tag/v25.0.0 Release Notes
https://github.com/haxtheweb/issues/security/advisories/GHSA-3fm2-xfq7-7778 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22704, you might also want to check these: