A vulnerability was found in haxtheweb haxcms-nodejs, video-player and iframe-loader up to 25.x . It has been rated as problematic . Affected is an unknown function. The manipulation of the argument src leads to cross site scripting. This vulnerability is referenced as CVE-2026-46396 . Remote exploitation of the attack is possible. No exploit is available. Upgrading the affected component is advised.