We’re taking on a small number of new builds and rebuilds this quarter. Book a call to see if your project is a fit.

CVE CVE-2026-22704

CVE-2026-22704

PHP

Severity: HIGH
CVSS: 8CVSS
Published: 2026-01-10
Last modified: 2026-02-05
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-79

Description

HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead to account takeover. This issue has been patched in version 25.0.0.

References

https://github.com/haxtheweb/haxcms-nodejs/commit/317a8ae29f88be389f7cfeffaef416957122d97e
https://github.com/haxtheweb/haxcms-nodejs/releases/tag/v25.0.0
https://github.com/haxtheweb/issues/security/advisories/GHSA-3fm2-xfq7-7778

Summary

Description

References