CVE-2026-48527: HaxCMS has a stored Cross-Site Scripting (XSS) bypass in its saveNode endpoint

Summary HaxCMS is affected by a stored cross-site scripting (XSS) vulnerability in the /system/api/saveNode endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by injecting an e…

8.7CVSS Score

HIGHSeverity

NOCISA KEV

VulnerabilityImpact Type

📋 Vulnerability Details

CVE ID	CVE-2026-48527
Vendor	npm
Affected Product	@haxtheweb/haxcms-nodejs
Vulnerability Type	Vulnerability
CVSS Score	8.7 (HIGH)
Actively Exploited	❌ No known exploitation
Patch Status	See Vendor Advisory →
Reported By	CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

Summary HaxCMS is affected by a stored cross-site scripting (XSS) vulnerability in the `/system/api/saveNode` endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by injecting an event handler attribute without whitespace before the attribute name. For example, the sanitizer misses: ```html click me` ` `The important bypass is:` ``html`

href="#"onclick= ` The payload is stored in the generated page files and executes when a user clicks the injected link.

`Details The issue is caused by regex-based HTML sanitization that expects whitespace before event handler attributes. Because the sanitizer expects a pattern like:` ``html`

href="#" onclick="..." ` It fails to remove an event handler when it is written without whitespace: ``html href="#"onc

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-48527 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries

🛡️ Get Detection Pack → 🔌 Access via API →