Skip to main content

Feehi Cms CVE-2026-31354

| EUVDEUVD-2026-19344 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-06 cve@mitre.org GHSA-xqm9-6qmm-xrqh
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 06, 2026 - 16:22 euvd
EUVD-2026-19344
Analysis Generated
Apr 06, 2026 - 16:22 vuln.today
CVE Published
Apr 06, 2026 - 16:16 nvd
MEDIUM 5.4

DescriptionCVE.org

Multiple authenticated stored cross-site scripting (XSS) vulnerabilities in the Permissions module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Group, Category or Description parameters.

AnalysisAI

Stored cross-site scripting (XSS) in Feehi CMS v2.1.1 Permissions module allows authenticated users to inject malicious scripts via Group, Category, or Description parameters, potentially enabling session hijacking or malware distribution to other authenticated users. Attack requires valid credentials and user interaction (UI:R per CVSS), limiting immediate risk despite network accessibility. No public exploit code or active exploitation has been confirmed; EPSS probability is minimal at 0.01% (3rd percentile).

Technical ContextAI

Feehi CMS is an open-source content management system (CPE: cpe:2.3:a:feehi:feehi_cms:2.1.1). The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation) in the Permissions module, where user-supplied input from Group, Category, and Description fields is stored in the database and rendered without proper output encoding. This classic stored XSS pattern allows an authenticated attacker to craft payloads that execute in the browsers of other users accessing the affected administrative interface.

RemediationAI

Patch availability and exact fix version information is not provided in available data; check the Feehi CMS GitHub repository (https://github.com/liufee/cms) and issues tracker (https://github.com/liufee/cms/issues/85) for patched releases or pull requests addressing this XSS. As an interim mitigation, restrict administrative access to the Permissions module to trusted administrators, implement Web Application Firewall (WAF) rules to detect and block common XSS payloads in HTTP requests, and apply output encoding to all user-supplied input rendered in the administrative interface. Organizations should prioritize patching once an upstream fix is released.

Share

CVE-2026-31354 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy