HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft

Description

A stored cross-site scripting (XSS) vulnerability exists in HAX CMS due to improper sanitization of the <video-player> component.

The component allows javascript: URIs in the source attribute, which are executed when the page is viewed.

Recommendation

Update the @haxtheweb/video-player package to the latest compatible version. Followings are version details:

• Affected version(s): <= 25.0.0
• Patched version(s): 26.0.0

References

• GHSA-2m6p-hm3w-6jm3
• CVE-2026-46496
• CWE-116
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover - @haxtheweb/video-player - CVE-2026-46396
• Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover - CVE-2026-46396
• Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS - CVE-2026-40171
• jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" pr - CVE-2026-25940

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:

npm

@haxtheweb/video-player