CVE-2026-48527 | haxtheweb haxcms-nodejs/haxcms-php up to 26.0.0 Attribute Name /system/api/saveNode cross site scripting

- HAX CMS (nodejs/php) has a stored XSS vulnerability (CVE-2026-48527) in /system/api/saveNode allowing authenticated editors to inject event-handler attributes that bypass the HTML sanitizer; remote exploitation requires user interaction. Patches are available in haxcms-nodejs 26.0.1 and haxcms-php 26.0.2 and upgrading is recommended; no public exploit has been reported.