Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title parameter.
AnalysisAI
Stored XSS in Feehi CMS v2.1.1 creation/editing module allows authenticated high-privilege users to execute arbitrary scripts via malicious Title parameter injection, affecting all users who view the affected content. The vulnerability requires high-privilege authentication and user interaction (UI:R), limiting real-world exploitability to insider threats or compromised administrative accounts; CVSS 4.8 reflects low impact (CIA:L) and confined scope.
Technical ContextAI
This is a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) stored XSS vulnerability. The Feehi CMS content management system fails to sanitize or encode user input in the Title parameter during content creation or editing workflows. Malicious JavaScript or HTML injected into the Title field is stored server-side and executed in the browsers of all users viewing that content, bypassing client-side protections. The vulnerability exists in the content module's server-side rendering without proper output encoding, allowing scripts to access session cookies, perform actions on behalf of viewers, or redirect users to malicious sites.
RemediationAI
Upgrade Feehi CMS to a patched version released after v2.1.1; consult the official Feehi CMS GitHub repository (https://github.com/liufee/cms) and GitHub issue #81 (https://github.com/liufee/cms/issues/81) for the specific fix version. If immediate patching is not possible, implement input validation and output encoding on the Title parameter by: (1) validating Title input to reject or escape special HTML/JavaScript characters, (2) applying HTML entity encoding when rendering Title content in pages, and (3) enforcing a Content Security Policy (CSP) header to restrict inline script execution. Audit all existing content created by administrative users to identify and remove any malicious payloads.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19275
GHSA-cvjh-88c8-2jjx