Skip to main content

Feehi Cms CVE-2026-31353

| EUVDEUVD-2026-19343 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-06 cve@mitre.org GHSA-664p-j3q6-p843
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 06, 2026 - 16:22 euvd
EUVD-2026-19343
Analysis Generated
Apr 06, 2026 - 16:22 vuln.today
CVE Published
Apr 06, 2026 - 16:16 nvd
MEDIUM 5.4

DescriptionCVE.org

An authenticated stored cross-site scripting (XSS) vulnerability in the Category module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter.

AnalysisAI

Stored cross-site scripting (XSS) in Feehi CMS v2.1.1 Category module allows authenticated attackers to inject arbitrary web scripts via the Name parameter, affecting users who subsequently view the malicious content. The vulnerability requires user interaction (rendering in a browser) and authenticated access to inject the payload, but once stored, it executes in the context of any user viewing the affected category. EPSS exploitation probability is extremely low at 0.02% (5th percentile), indicating minimal real-world attack likelihood despite moderate CVSS score.

Technical ContextAI

This is a stored cross-site scripting (CWE-79) vulnerability in Feehi CMS, an open-source PHP content management system. The Category module fails to properly sanitize or encode user-supplied input in the Name parameter before storing it in the database. When the category is rendered to authenticated or unauthenticated users viewing the category page, the unencoded payload executes in the victim's browser with the privileges of the viewing user. The affected product is Feehi CMS (CPE: cpe:2.3:a:feehi:feehi_cms:2.1.1:*:*:*:*:*:*:*), specifically version 2.1.1.

RemediationAI

Upgrade Feehi CMS to a patched version released after v2.1.1; exact patched version numbers are not specified in available references. Immediate mitigation includes: (1) implement output encoding for the Name parameter in category display templates using context-appropriate escaping (e.g., HTML entity encoding for HTML context), (2) conduct code review of the Category module to ensure all user inputs are sanitized before database storage, and (3) restrict authenticated user access to the Category management feature to trusted administrators only. Review the upstream GitHub repository (https://github.com/liufee/cms) and issue tracker (https://github.com/liufee/cms/issues/84) for available patches. The NIST CVE detail page (https://nvd.nist.gov/vuln/detail/CVE-2026-31353) may contain updated remediation guidance.

Share

CVE-2026-31353 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy