@haxtheweb/create (>=0.1.3 <=26.0.0), @haxtheweb/open-apis (>=11.0.2 <=26.0.0) potentially affected by CVE-2026-46357 via @haxtheweb/haxcms-nodejs (>=0.0.13 <=25.0.0)

@haxtheweb/haxcms-nodejs NPM version =0.0.13, =0.1.3, =11.0.2, =26.0.0 Source cves: CVE-2026-46357 Source advisory: OSV:GHSA-9R33-XHW8-4QQP...

Cross-site Scripting (XSS)

Overview @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper sanitization of elements that allow javascript: URIs in the src attribute. An attacker can execute arbitrary JavaScript in the victim's browser...

CVE-2026-46357

creationtimestamp| type| source ---|---|--- 2026-05-13 18:46:15+00:00| published-proof-of-concept| https://github.com/haxtheweb/issues/security/advisories/GHSA-9r33-xhw8-4qqp 2026-06-05 21:20:07+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnl2wssjwa2z...

@haxtheweb/create (>=0.1.3 <=11.0.2), @haxtheweb/open-apis (=11.0.2) potentially affected by CVE-2025-54378 via @haxtheweb/haxcms-nodejs (>=0.0.13 <=10.0.6)

@haxtheweb/haxcms-nodejs NPM version =0.0.13, =0.1.3, =11.0.2 - @haxtheweb/open-apis =11.0.2 Source cves: CVE-2025-54378 Source advisory: OSV:GHSA-9JR9-8FF3-M894...

@haxtheweb/create (>=0.1.3 <=11.0.2), @haxtheweb/open-apis (=11.0.2) potentially affected by CVE-2025-54139 via @haxtheweb/haxcms-nodejs (>=0.0.13 <=10.0.6)

@haxtheweb/haxcms-nodejs NPM version =0.0.13, =0.1.3, =11.0.2 - @haxtheweb/open-apis =11.0.2 Source cves: CVE-2025-54139 Source advisory: OSV:GHSA-54VW-F4XF-F92J...

@haxtheweb/create (>=0.1.3 <=11.0.2), @haxtheweb/open-apis (=11.0.2) potentially affected by CVE-2025-54137 via @haxtheweb/haxcms-nodejs (>=0.0.13 <=10.0.6)

@haxtheweb/haxcms-nodejs NPM version =0.0.13, =0.1.3, =11.0.2 - @haxtheweb/open-apis =11.0.2 Source cves: CVE-2025-54137 Source advisory: OSV:GHSA-5FPV-5QVH-7CF3...

@haxtheweb/create (>=0.1.3 <=25.0.0), @haxtheweb/open-apis (>=11.0.2 <=11.0.3) potentially affected by CVE-2025-54134 via @haxtheweb/haxcms-nodejs (>=0.0.13 <=11.0.15)

@haxtheweb/haxcms-nodejs NPM version =0.0.13, =0.1.3, =11.0.2, =11.0.3 Source cves: CVE-2025-54134 Source advisory: OSV:GHSA-PJJ3-J5J6-QJ27...

@haxtheweb/create (>=0.1.3 <=25.0.0), @haxtheweb/open-apis (>=11.0.2 <=11.0.3) potentially affected by CVE-2025-49141 via @haxtheweb/haxcms-nodejs (>=0.0.13 <=11.0.15)

@haxtheweb/haxcms-nodejs NPM version =0.0.13, =0.1.3, =11.0.2, =11.0.3 Source cves: CVE-2025-49141 Source advisory: OSV:GHSA-G4CF-PP4X-HQGW...

@haxtheweb/create (>=10.0.0 <=11.0.2), @haxtheweb/open-apis (=11.0.2) potentially affected by CVE-2025-48996 via @haxtheweb/open-apis (=10.0.1)

@haxtheweb/open-apis NPM version =10.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on @haxtheweb/open-apis and may be impacted: - @haxtheweb/create =10.0.0, =11.0.2 - @haxtheweb/open-apis =11.0.2 Source cves: CVE-2025-48996 Source advisory:...