Description
A vulnerability was found in Feehi CMS up to 2.1.1. This vulnerability affects unknown code of the file /api/articles of the component REST API Endpoint. Performing a manipulation results in missing authentication. The attack may be initiated remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-06-29
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the /api/articles REST API endpoint of Feehi CMS. An attacker can manipulate requests to this endpoint to bypass authentication, causing the application to process requests as if they were authenticated. This results in unauthorized access to article data, potentially allowing reading or modification of content. The weakness is identified as an authentication failure (CWE-287) and a missing authentication check (CWE-306).

Affected Systems

Feehi CMS versions up to and including 2.1.1 are affected. The vulnerable component is the /api/articles endpoint. No other products or versions are known to be impacted based on the available data.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. EPSS data is not available and the vulnerability is not listed in the KEV catalog, yet the exploit is publicly disclosed and can be executed from any remote host because authentication checks are missing. An attacker who can reach the REST API can retrieve or alter article data, which could be leveraged for further attacks or data exfiltration. Immediate mitigation is required.

Generated by OpenCVE AI on June 29, 2026 at 09:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑supplied patch or upgrade to a version newer than 2.1.1 as soon as it is released.
  • Block external traffic to the /api/articles endpoint using firewall rules or web server configuration, allowing access only from trusted IPs or internal networks.
  • Enforce an authentication mechanism on the /api/articles endpoint—such as HTTP Basic, OAuth, or API key validation—to ensure that only authenticated requests are accepted.
  • Monitor API traffic for suspicious activity and audit logs to detect unauthorized use of the endpoint.

Generated by OpenCVE AI on June 29, 2026 at 09:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Feehi CMS up to 2.1.1. This vulnerability affects unknown code of the file /api/articles of the component REST API Endpoint. Performing a manipulation results in missing authentication. The attack may be initiated remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Title Feehi CMS REST API Endpoint articles missing authentication
First Time appeared Feehi
Feehi cms
Weaknesses CWE-287
CWE-306
CPEs cpe:2.3:a:feehi:cms:*:*:*:*:*:*:*:*
Vendors & Products Feehi
Feehi cms
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T13:34:55.413Z

Reserved: 2026-06-28T10:58:04.226Z

Link: CVE-2026-13546

cve-icon Vulnrichment

Updated: 2026-06-29T13:34:49.996Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T13:15:03Z

Weaknesses
  • CWE-287

    Improper Authentication

  • CWE-306

    Missing Authentication for Critical Function