Home > Vulnerability Database > CVE-2026-22704

Mend.io Vulnerability Database

CVE-2026-22704

Good to know:

Date: January 10, 2026

HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead to account takeover. This issue has been patched in version 25.0.0.

Severity Score

8.0

Related Resources (6)

Url: https://github.com/haxtheweb/haxcms-nodejs/commit/317a8ae29f88be389f7cfeffaef416957122d97e

Url: https://github.com/haxtheweb/issues

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-22704

Url: https://github.com/haxtheweb/issues/security/advisories/GHSA-3fm2-xfq7-7778

Url: https://github.com/haxtheweb/haxcms-nodejs/releases/tag/v25.0.0

Url: https://www.mend.io/vulnerability-database/CVE-2026-22704

Severity Score

8.0

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version @haxtheweb/haxcms-nodejs - 25.0.0;https://github.com/haxtheweb/haxcms-nodejs.git - v25.0.0

Learn More

CVSS v3.1

Base Score:	8.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-22704

Good to know:

Date: January 10, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?