Description
A flaw has been found in Feehi CMS up to 2.1.1. Affected by this issue is some unknown functionality of the file /api/users of the component API. This manipulation causes improper access controls. The attack can be initiated remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-06-29
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Feehi CMS versions up to 2.1.1 contain a flaw in the /api/users endpoint that allows an attacker to manipulate requests in a way that bypasses normal access controls. This weakness, identified as CWE‑266 and CWE‑284, permits an attacker to gain unauthorized access to user information or potentially perform privileged operations on the system. The vulnerability is an improper authorization flaw; the exact extent of the privilege escalation (e.g., read versus write) is not detailed in the description but the control bypass is sufficient to compromise sensitive data.

Affected Systems

All installations of Feehi CMS 2.1.1 or earlier, specifically when the /api/users API endpoint is exposed, are affected. The issue may impact any deployment where the CMS is exposed to external networks and the API is accessible.

Risk and Exploitability

The CVSS score of 5.3 places this vulnerability in the medium severity range. EPSS information is not available, and the vulnerability is not listed in CISA’s KEV catalogue, indicating no confirmed widespread exploitation yet. However, the exploit is known to be publicly available and can be triggered remotely, so an attacker could potentially access restricted information without prior authentication or with minimal credentials. Given the remote nature of the attack and the lack of remediation from the vendor, the risk to exposed installations remains significant and should be monitored closely.

Generated by OpenCVE AI on June 29, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a newer version of Feehi CMS beyond 2.1.1 once the vendor releases an official patch that corrects the access‑control logic in /api/users.
  • If a patch is not yet available, limit exposure by configuring firewall or reverse‑proxy rules to allow access to /api/users only from trusted IP addresses or internal networks.
  • Implement API‑level authentication checks or request filtering rules that enforce proper role‑based access controls before processing any /api/users request.

Generated by OpenCVE AI on June 29, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Feehi CMS up to 2.1.1. Affected by this issue is some unknown functionality of the file /api/users of the component API. This manipulation causes improper access controls. The attack can be initiated remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title Feehi CMS API users access control
First Time appeared Feehi
Feehi cms
Weaknesses CWE-266
CWE-284
CPEs cpe:2.3:a:feehi:cms:*:*:*:*:*:*:*:*
Vendors & Products Feehi
Feehi cms
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T13:48:58.783Z

Reserved: 2026-06-28T10:15:22.055Z

Link: CVE-2026-13544

cve-icon Vulnrichment

Updated: 2026-06-29T13:48:54.203Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T20:05:34Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment

  • CWE-284

    Improper Access Control