Skip to main content

EUVDEUVD-2026-19342

| CVE-2026-31352 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-06 mitre GHSA-hqjc-wfvx-x2fv
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 06, 2026 - 16:00 euvd
EUVD-2026-19342
Analysis Generated
Apr 06, 2026 - 16:00 vuln.today
CVE Published
Apr 06, 2026 - 00:00 nvd
MEDIUM 5.4

DescriptionCVE.org

An authenticated stored cross-site scripting (XSS) vulnerability in the Role Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Role Name parameter.

AnalysisAI

Stored XSS in Feehi CMS v2.1.1 Role Management module allows authenticated users to execute arbitrary scripts via malicious Role Name input, affecting all users viewing the affected role. The vulnerability requires prior authentication and user interaction (UI:R), limiting its scope to authenticated attackers within the application; EPSS score of 0.02% indicates minimal real-world exploitation probability despite public visibility.

Technical ContextAI

This vulnerability exploits improper input sanitization in the Role Management module of Feehi CMS, a PHP-based content management system. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates the application fails to encode or filter user-supplied input before storing it in the database and rendering it in subsequent page views. The Role Name parameter accepts and stores crafted payloads (e.g., JavaScript) without validation, and upon retrieval, the unsanitized content is rendered to other users' browsers in the context of the application domain. This is a classic stored/persistent XSS vulnerability where the attack payload persists in the application's data store rather than being reflected in a single request.

RemediationAI

Upgrade Feehi CMS to a patched version released after v2.1.1 (exact version number not provided in available references; check vendor release notes at https://github.com/liufee/cms for the next available release). As interim mitigation, restrict Role Management access to a minimal set of trusted administrators and implement a Web Application Firewall (WAF) rule to filter XSS patterns in Role Name parameters. Developers should implement HTML entity encoding when displaying role names in all templates and validate input length and character restrictions on the Role Name field. Refer to the NIST vulnerability detail page (https://nvd.nist.gov/vuln/detail/CVE-2026-31352) and GitHub issue #83 (https://github.com/liufee/cms/issues/83) for additional context and patch availability confirmation.

Share

EUVD-2026-19342 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy