Stored XSS (CVE‑2026‑22704) in HAX CMS 24.x Enables Arbitrary Script Execution
What Happened – A stored cross‑site scripting (XSS) flaw (CVE‑2026‑22704) was discovered in HAX CMS 24.x. Authenticated low‑privilege users can upload HTML files that are rendered without proper sanitisation, allowing malicious JavaScript to run in the browsers of any user who views the file.
Why It Matters for TPRM –
- Attackers can hijack sessions, steal credentials, or inject ransomware‑delivery scripts into a vendor‑managed web portal.
- The vulnerability is exploitable on any deployment of HAX CMS, a component often embedded in larger SaaS or digital‑experience platforms.
- Third‑party risk assessments must consider the downstream impact on customers whose data passes through compromised CMS instances.
Who Is Affected – Technology & SaaS providers, digital‑experience agencies, e‑commerce sites, and any organization that integrates HAX CMS as a content‑delivery layer.
Recommended Actions –
- Verify whether any current or prospective vendors use HAX CMS ≤ 24.x.
- Require immediate patching to a version > 24.x or temporary mitigation (disable HTML uploads, enforce CSP).
- Validate that vendors have web‑application fire‑walls (WAF) and content‑security‑policy (CSP) controls in place.
Technical Notes – The flaw stems from insufficient sanitisation of uploaded HTML files (stored XSS). No CVE‑linked public exploit existed before this entry, but proof‑of‑concept scripts are publicly available (Exploit‑DB #52526). Affected data types include any session cookies, CSRF tokens, or embedded credentials rendered in the victim’s browser. Source: https://www.exploit-db.com/exploits/52526