What is GHSA-g2g8-95qg-v35h?

GHSA-g2g8-95qg-v35h is a security advisory published by GitHub Security Advisories with High severity. HaxCMS has a stored Cross-Site Scripting (XSS) bypass in its saveNode endpoint

Which CVE IDs does GHSA-g2g8-95qg-v35h cover?

GHSA-g2g8-95qg-v35h covers the following CVE IDs: CVE-2026-48527. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-g2g8-95qg-v35h?

GHSA-g2g8-95qg-v35h has a CVSS v3 base score of 8.7, published by GitHub Security Advisories.

Which products are affected by GHSA-g2g8-95qg-v35h?

GHSA-g2g8-95qg-v35h affects 1 product, including: npm/@haxtheweb/haxcms-nodejs:\u003c= 26.0.0.

GHSA-g2g8-95qg-v35hHighCVSS 8.7

HaxCMS has a stored Cross-Site Scripting (XSS) bypass in its saveNode endpoint

Vendor

GitHub Security Advisories

Published

May 29, 2026

Last Modified

May 29, 2026

🔗 CVE IDs covered (1)

CVE-2026-48527 →

📋 Description

Summary

HaxCMS is affected by a stored cross-site scripting (XSS) vulnerability in the /system/api/saveNode endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by injecting an event handler attribute without whitespace before the attribute name.

For example, the sanitizer misses:

<a href="#"onclick="alert('kn1ph')">click me</a>

The important bypass is:

href="#"onclick=

The payload is stored in the generated page files and executes when a user clicks the injected link.

Details

The issue is caused by regex-based HTML sanitization that expects whitespace before event handler attributes. Because the sanitizer expects a pattern like:

href="#" onclick="..."

It fails to remove an event handler when it is written without whitespace:

href="#"onclick="..."

Browsers still parse onclick as a valid event handler attribute, so the JavaScript executes when the element is clicked.

Affected endpoint:

POST /system/api/saveNode?site_token=[VALID_SITE_TOKEN]

Affected parameter:

node.body

PoC

Log in to HaxCMS and edit any existing page.
Capture the page save request in Burp Suite:

POST /system/api/saveNode?site_token=[VALID_SITE_TOKEN]

In the JSON request body, modify only the node.body value.

Change:

"body":"...existing page content...\n"

To:

"body":"...existing page content...\n<a href=\"#\"onclick=\"alert('kn1ph')\">click me</a>\n"

Forward the request.
Open the edited page and click click me.

Result:

The JavaScript will execute and the alert will pop up.

It was confirmed that the payload is stored in the generated page files, including index.html.

Impact

An authenticated user with permissions to edit the page can inject stored JavaScript into the page content. If a privileged user interacts with the injected element while authenticated, the attacker controlled JavaScript will execute in that user’s browser.

Based on local testing, the XSS can access browser-exposed HaxCMS data such as localStorage.jwt and window.appSettings, including API paths and tokens available to the authenticated user.

This may allow an attacker to perform actions as the victim within the limits of the exposed tokens and the victim’s permissions and possibly chain more vulnerabilities.

🎯 Affected products1

npm/@haxtheweb/haxcms-nodejs:<= 26.0.0