Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
An authenticated stored cross-site scripting (XSS) vulnerability in the Category module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter.
AnalysisAI
Stored cross-site scripting (XSS) in Feehi CMS v2.1.1 Category module allows authenticated attackers to inject arbitrary web scripts via the Name parameter, affecting users who subsequently view the malicious content. The vulnerability requires user interaction (rendering in a browser) and authenticated access to inject the payload, but once stored, it executes in the context of any user viewing the affected category. EPSS exploitation probability is extremely low at 0.02% (5th percentile), indicating minimal real-world attack likelihood despite moderate CVSS score.
Technical ContextAI
This is a stored cross-site scripting (CWE-79) vulnerability in Feehi CMS, an open-source PHP content management system. The Category module fails to properly sanitize or encode user-supplied input in the Name parameter before storing it in the database. When the category is rendered to authenticated or unauthenticated users viewing the category page, the unencoded payload executes in the victim's browser with the privileges of the viewing user. The affected product is Feehi CMS (CPE: cpe:2.3:a:feehi:feehi_cms:2.1.1:*:*:*:*:*:*:*), specifically version 2.1.1.
RemediationAI
Upgrade Feehi CMS to a patched version released after v2.1.1; exact patched version numbers are not specified in available references. Immediate mitigation includes: (1) implement output encoding for the Name parameter in category display templates using context-appropriate escaping (e.g., HTML entity encoding for HTML context), (2) conduct code review of the Category module to ensure all user inputs are sanitized before database storage, and (3) restrict authenticated user access to the Category management feature to trusted administrators only. Review the upstream GitHub repository (https://github.com/liufee/cms) and issue tracker (https://github.com/liufee/cms/issues/84) for available patches. The NIST CVE detail page (https://nvd.nist.gov/vuln/detail/CVE-2026-31353) may contain updated remediation guidance.
Feehi CMS 2.1.1 is affected by a Server-side request forgery (SSRF) vulnerability. Rated critical severity (CVSS 9.1), t
An arbitrary file upload vulnerability in the Advertising Management module of Feehi CMS v2.1.1 allows attackers to exec
A Host Header Injection vulnerability in Feehi CMS 2.1.1 may allow an attacker to spoof a particular header. Rated mediu
A stored cross-site scripting (XSS) vulnerability in /index.php?r=site%2Fsignup of Feehi CMS v2.1.1 allows attackers to
Stored cross-site scripting (XSS) in Feehi CMS v2.1.1 Permissions module allows authenticated users to inject malicious
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19343
GHSA-664p-j3q6-p843