Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
An authenticated stored cross-site scripting (XSS) vulnerability in Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Page Sign parameter.
AnalysisAI
Authenticated stored XSS in Feehi CMS v2.1.1 allows authenticated users to inject arbitrary web scripts or HTML via the Page Sign parameter, enabling session hijacking, credential theft, or malware distribution to other users viewing affected pages. EPSS exploitation probability is minimal at 0.02%, and no public exploit code or active exploitation has been confirmed, indicating low real-world attack urgency despite the CVSS medium score.
Technical ContextAI
This is a stored cross-site scripting vulnerability (CWE-79) in Feehi CMS, a content management system. The vulnerability exists in the Page Sign parameter handling, where user-supplied input is stored in a database and later rendered in HTML contexts without proper sanitization or output encoding. When other users or administrators view pages containing the malicious payload, the injected JavaScript executes in their browsers with the privileges of their session, allowing attackers to steal session tokens, perform unauthorized actions, or redirect users to malicious sites. The vulnerability requires prior authentication, limiting the initial attack surface to users with legitimate CMS access.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19341
GHSA-cgxr-v74v-g9mm