Description
An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Content field.
Published: 2026-04-06
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that allows arbitrary script execution
Action: Patch Immediately
AI Analysis

Impact

An authenticated stored cross‑site scripting flaw exists within Feehi CMS version 2.1.1. Attackers with access to the content creation or editing module can insert a malicious payload into the content field, which is then saved and rendered for all users who view the page. The stored nature of the exploit permits execution of arbitrary JavaScript or HTML inside the victim’s browser, potentially compromising session data, defacing the site, or redirecting traffic.

Affected Systems

The impact is limited to installations of Feehi CMS version 2.1.1 that provide authenticated users with the ability to create or edit content. No other vendors or product versions are currently known to be affected.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity level, while the EPSS score of less than 1 % suggests a low likelihood of widespread exploitation at present. Because the flaw requires authenticated access, only accounts with content‑editing privileges can launch this attack; however, many deployments grant such privileges to regular users. Once an attacker injects the payload, it persists in the database and will be delivered to every visitor who opens the affected page, leading to lasting damage if not addressed.

Generated by OpenCVE AI on April 8, 2026 at 00:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Feehi CMS to a version that fixes the vulnerable content module.
  • If an upgrade is not yet available, restrict content‑editing permissions to trusted administrators only.
  • Deploy server‑side input validation or sanitization for the content field to strip or encode executable markup.
  • Regularly audit site content and monitor access logs for unusual script additions to detect potential exploitation early.

Generated by OpenCVE AI on April 8, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hj9c-p59c-vqph Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the creation/editing module
History

Fri, 10 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Authenticated Stored XSS in Feehi CMS Content Module

Tue, 07 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:feehi:feehi_cms:2.1.1:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Title Authenticated Stored XSS in Feehi CMS Content Module
First Time appeared Feehi
Feehi feehi Cms
Weaknesses CWE-79
Vendors & Products Feehi
Feehi feehi Cms

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Content field.
References

Subscriptions

Feehi Feehi Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-09T20:17:51.212Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31313

cve-icon Vulnrichment

Updated: 2026-04-09T18:06:52.211Z

cve-icon NVD

Status : Modified

Published: 2026-04-06T17:17:09.590

Modified: 2026-04-09T21:16:08.990

Link: CVE-2026-31313

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:52:54Z

Weaknesses