Skip to main content

Feehi CMS CVE-2026-13546

| EUVDEUVD-2026-40046 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-06-29 VulDB GHSA-9vx2-hrrc-hrgq
5.5
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.3 HIGH

Endpoint is network-accessible with no authentication required; low CIA impact reflects constrained article-data scope with no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
Jun 29, 2026 - 09:22 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
Analysis Generated
Jun 29, 2026 - 09:16 vuln.today

DescriptionCVE.org

A vulnerability was found in Feehi CMS up to 2.1.1. This vulnerability affects unknown code of the file /api/articles of the component REST API Endpoint. Performing a manipulation results in missing authentication. The attack may be initiated remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Unauthenticated access to the /api/articles REST API endpoint in Feehi CMS up to version 2.1.1 exposes article management functions without any credential verification, allowing remote attackers to interact with CMS content at low complexity and zero privilege. A publicly available proof-of-concept exploit exists via a GitHub issue report. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-exposed Feehi CMS instance
Exploit
Send unauthenticated HTTP request to /api/articles
Execution
Bypass absent authentication middleware
Impact
Access or manipulate article data

Vulnerability AssessmentAI

Exploitation The /api/articles REST API endpoint must be network-accessible - this is the default posture for any internet-exposed Feehi CMS deployment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.9 (Medium) captures a network-accessible, zero-prerequisite flaw with constrained per-access impact (VC:L/VI:L/VA:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote unauthenticated attacker sends a crafted HTTP GET or POST request directly to the /api/articles endpoint of an internet-exposed Feehi CMS instance, receiving or manipulating article data without any credential challenge. A public POC is available via GitHub issue #87, reducing the required skill level to near-zero. …
Remediation No vendor-released patch has been identified at time of analysis - the project was notified via issue report (https://github.com/liufee/cms/issues/87) but has not responded. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Cms

View all
CVE-2020-7357 CRITICAL POC
9.9 Aug 06

Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. Rated c

CVE-2012-4405 MEDIUM
6.8 Sep 18

Multiple integer underflows in the icmLut_allocate function in International Color Consortium (ICC) Format library (iccl

CVE-2021-47753 CRITICAL POC
9.8 Jan 15

phpKF CMS 3.00 Beta allows unauthenticated PHP file upload by disguising it as a PNG, then renaming it for execution. Po

CVE-2019-9874 CRITICAL POC
9.8 May 31

Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 an

CVE-2019-9875 HIGH POC
8.8 May 31

Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to ex

CVE-2012-5894 HIGH POC
7.5 Nov 17

SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitr

CVE-2012-5893 MEDIUM POC
6.8 Nov 17

Unrestricted file upload vulnerability in hava_upload.php in Havalite CMS 1.1.0 and earlier allows remote attackers to e

CVE-2015-2083 MEDIUM POC
6.8 Feb 25

Cross-site request forgery (CSRF) vulnerability in Ilch CMS allows remote attackers to hijack the authentication of admi

CVE-2012-5919 MEDIUM POC
4.3 Nov 19

Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbit

CVE-2025-5429 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

CVE-2025-5428 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

CVE-2025-5427 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

Share

CVE-2026-13546 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy