CVE-2026-22704

HighPublic PoC

Published: 10 January 2026

Published

10 January 2026

Modified

05 February 2026

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0008 22.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22704 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Psu Haxcms-Nodejs. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 22.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to JavaScript (T1059.007) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Information input validation directly prevents the injection of malicious scripts in stored XSS vulnerabilities like CVE-2026-22704 by checking and sanitizing user inputs before storage.

SI-15 Information Output Filtering good match

prevent

Information output filtering prevents execution of stored malicious scripts by encoding or escaping content prior to rendering in HAX CMS.

SI-2 Flaw Remediation good match

prevent

Flaw remediation ensures timely patching of vulnerabilities such as the stored XSS in HAX CMS versions before 25.0.0, directly addressing the root cause.

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

Why these techniques?

Stored XSS enables arbitrary JavaScript execution in victim browsers (T1059.007) and supports drive-by compromise when victims render attacker-injected content (T1189).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead to account takeover. This issue has been patched in version 25.0.0.

Deeper analysisAI

CVE-2026-22704 is a stored cross-site scripting (XSS) vulnerability (CWE-79) in HAX CMS, a content management system for managing a universe of microsites with PHP or Node.js backends. The flaw affects versions 11.0.6 through 24.x and has a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H). It has been patched in version 25.0.0.

An authenticated attacker with low privileges can exploit the stored XSS over the network, though it requires high attack complexity and user interaction, such as a victim clicking a malicious link or rendering content. Scope changes upon successful exploitation, enabling high-impact compromise of confidentiality, integrity, and availability, which can lead to full account takeover.

Mitigation involves updating to HAX CMS version 25.0.0 or later. The GitHub security advisory (GHSA-3fm2-xfq7-7778) details the issue, with the fixing commit available at https://github.com/haxtheweb/haxcms-nodejs/commit/317a8ae29f88be389f7cfeffaef416957122d97e and the release at https://github.com/haxtheweb/haxcms-nodejs/releases/tag/v25.0.0.