Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
An authenticated stored cross-site scripting (XSS) vulnerability in the Role Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Role Name parameter.
AnalysisAI
Stored XSS in Feehi CMS v2.1.1 Role Management module allows authenticated users to execute arbitrary scripts via malicious Role Name input, affecting all users viewing the affected role. The vulnerability requires prior authentication and user interaction (UI:R), limiting its scope to authenticated attackers within the application; EPSS score of 0.02% indicates minimal real-world exploitation probability despite public visibility.
Technical ContextAI
This vulnerability exploits improper input sanitization in the Role Management module of Feehi CMS, a PHP-based content management system. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates the application fails to encode or filter user-supplied input before storing it in the database and rendering it in subsequent page views. The Role Name parameter accepts and stores crafted payloads (e.g., JavaScript) without validation, and upon retrieval, the unsanitized content is rendered to other users' browsers in the context of the application domain. This is a classic stored/persistent XSS vulnerability where the attack payload persists in the application's data store rather than being reflected in a single request.
RemediationAI
Upgrade Feehi CMS to a patched version released after v2.1.1 (exact version number not provided in available references; check vendor release notes at https://github.com/liufee/cms for the next available release). As interim mitigation, restrict Role Management access to a minimal set of trusted administrators and implement a Web Application Firewall (WAF) rule to filter XSS patterns in Role Name parameters. Developers should implement HTML entity encoding when displaying role names in all templates and validate input length and character restrictions on the Role Name field. Refer to the NIST vulnerability detail page (https://nvd.nist.gov/vuln/detail/CVE-2026-31352) and GitHub issue #83 (https://github.com/liufee/cms/issues/83) for additional context and patch availability confirmation.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19342
GHSA-hqjc-wfvx-x2fv