Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Multiple authenticated stored cross-site scripting (XSS) vulnerabilities in the Permissions module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Group, Category or Description parameters.
AnalysisAI
Stored cross-site scripting (XSS) in Feehi CMS v2.1.1 Permissions module allows authenticated users to inject malicious scripts via Group, Category, or Description parameters, potentially enabling session hijacking or malware distribution to other authenticated users. Attack requires valid credentials and user interaction (UI:R per CVSS), limiting immediate risk despite network accessibility. No public exploit code or active exploitation has been confirmed; EPSS probability is minimal at 0.01% (3rd percentile).
Technical ContextAI
Feehi CMS is an open-source content management system (CPE: cpe:2.3:a:feehi:feehi_cms:2.1.1). The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation) in the Permissions module, where user-supplied input from Group, Category, and Description fields is stored in the database and rendered without proper output encoding. This classic stored XSS pattern allows an authenticated attacker to craft payloads that execute in the browsers of other users accessing the affected administrative interface.
RemediationAI
Patch availability and exact fix version information is not provided in available data; check the Feehi CMS GitHub repository (https://github.com/liufee/cms) and issues tracker (https://github.com/liufee/cms/issues/85) for patched releases or pull requests addressing this XSS. As an interim mitigation, restrict administrative access to the Permissions module to trusted administrators, implement Web Application Firewall (WAF) rules to detect and block common XSS payloads in HTTP requests, and apply output encoding to all user-supplied input rendered in the administrative interface. Organizations should prioritize patching once an upstream fix is released.
Feehi CMS 2.1.1 is affected by a Server-side request forgery (SSRF) vulnerability. Rated critical severity (CVSS 9.1), t
An arbitrary file upload vulnerability in the Advertising Management module of Feehi CMS v2.1.1 allows attackers to exec
A Host Header Injection vulnerability in Feehi CMS 2.1.1 may allow an attacker to spoof a particular header. Rated mediu
A stored cross-site scripting (XSS) vulnerability in /index.php?r=site%2Fsignup of Feehi CMS v2.1.1 allows attackers to
Stored cross-site scripting (XSS) in Feehi CMS v2.1.1 Category module allows authenticated attackers to inject arbitrary
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19344
GHSA-xqm9-6qmm-xrqh