Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover

Description

A stored cross-site scripting (XSS) vulnerability exists in HAX CMS due to improper sanitization of <iframe> elements.

The application allows javascript: URIs in the src attribute, which are executed when a malicious page is viewed.

Recommendation

Update the @haxtheweb/iframe-loader package to the latest compatible version. Followings are version details:

• Affected version(s): <= 25.0.0
• Patched version(s): 26.0.0

References

• GHSA-jh3h-rpxg-fr36
• CVE-2026-46396
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover - @haxtheweb/video-player - CVE-2026-46396
• HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft - CVE-2026-46496
• Parse Server: Account takeover via operator injection in authentication data identifier - CVE-2026-32248
• OpenLearnX: Critical Authentication Bypass via JWT Signature Verification Disabled Leading to Account Takeover - CVE-2026-44720

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:

npm

@haxtheweb/iframe-loader