Haxtheweb

HAXcms is vulnerable to stored XSS and exposes authentication tokens in the `/system/api/connectionSettings` endpoint, allowing an attacker to perform cross-tenant account takeover by injecting malicious JavaScript to steal the `jwt`, `user_token`, `site_token`, and `appstore_token`.

Multiple functions in open-apis conduct substring-only matching to validate hostnames, allowing an attacker to perform Server-Side Request Forgery (SSRF) and capture authentication credentials by redirecting requests to an attacker-controlled endpoint.

The HAXcms Node.js backend contains two cryptographic implementation errors in the `hmacBase64()` function that allow an unauthenticated attacker to extract the system’s private signing key and forge arbitrary admin-level JSON Web Tokens (JWTs) allowing them to get full admin access with a single HTTP request.

HAXcms is vulnerable to Server-Side Request Forgery (SSRF) via the createSite endpoint, allowing an authenticated user to supply arbitrary URLs or local file paths, which are fetched server-side without validation and written to a web-accessible directory, enabling arbitrary file read, internal network access, and cloud credential exposure; this vulnerability is tracked as CVE-2026-46393.