Skip to main content

EUVDEUVD-2026-19275

| CVE-2026-31351 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-06 mitre GHSA-cvjh-88c8-2jjx
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 06, 2026 - 15:30 euvd
EUVD-2026-19275
Analysis Generated
Apr 06, 2026 - 15:30 vuln.today
CVE Published
Apr 06, 2026 - 00:00 nvd
MEDIUM 4.8

DescriptionCVE.org

An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title parameter.

AnalysisAI

Stored XSS in Feehi CMS v2.1.1 creation/editing module allows authenticated high-privilege users to execute arbitrary scripts via malicious Title parameter injection, affecting all users who view the affected content. The vulnerability requires high-privilege authentication and user interaction (UI:R), limiting real-world exploitability to insider threats or compromised administrative accounts; CVSS 4.8 reflects low impact (CIA:L) and confined scope.

Technical ContextAI

This is a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) stored XSS vulnerability. The Feehi CMS content management system fails to sanitize or encode user input in the Title parameter during content creation or editing workflows. Malicious JavaScript or HTML injected into the Title field is stored server-side and executed in the browsers of all users viewing that content, bypassing client-side protections. The vulnerability exists in the content module's server-side rendering without proper output encoding, allowing scripts to access session cookies, perform actions on behalf of viewers, or redirect users to malicious sites.

RemediationAI

Upgrade Feehi CMS to a patched version released after v2.1.1; consult the official Feehi CMS GitHub repository (https://github.com/liufee/cms) and GitHub issue #81 (https://github.com/liufee/cms/issues/81) for the specific fix version. If immediate patching is not possible, implement input validation and output encoding on the Title parameter by: (1) validating Title input to reject or escape special HTML/JavaScript characters, (2) applying HTML entity encoding when rendering Title content in pages, and (3) enforcing a Content Security Policy (CSP) header to restrict inline script execution. Audit all existing content created by administrative users to identify and remove any malicious payloads.

Share

EUVD-2026-19275 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy