Description
An authenticated stored cross-site scripting (XSS) vulnerability in Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Page Sign parameter.
Published: 2026-04-06
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS (client‑side script execution)
Action: Patch Immediately
AI Analysis

Impact

An authenticated stored cross‑site scripting (CWE‑79) flaw in Feehi CMS version 2.1.1 allows a logged‑in user to inject malicious JavaScript or HTML into the Page Sign parameter. When other users view the affected page, the injected code executes in their browsers, giving the attacker the ability to run arbitrary scripts. The described capability to execute web scripts, coupled with standard XSS attack patterns, implies that an attacker could hijack user sessions or steal cookies, although these specific outcomes are not explicitly detailed in the CVE.

Affected Systems

Feehi CMS version 2.1.1 is the affected product. No other versions or vendors are listed in the CNA data.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, while an EPSS score below 1 % suggests a low likelihood of exploitation. The vulnerability requires a legitimate CMS account to inject the payload, so the primary attack vector is authenticated access via the administration interface. Although the flaw is not published in CISA’s KEV catalog, the combination of client‑side impact and moderate severity warrants prompt remediation.

Generated by OpenCVE AI on April 8, 2026 at 00:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Feehi CMS release that contains a fix for the stored XSS vulnerability.
  • If no patch is available, limit the ability to edit the Page Sign parameter to users with the highest privileges only.
  • Perform server‑side input validation and output encoding for the Page Sign field to prevent future injection.
  • Deploy a Content Security Policy that blocks inline script execution and reduces the impact of XSS attacks.

Generated by OpenCVE AI on April 8, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cgxr-v74v-g9mm Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Page Sign parameter
History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Authenticated Stored XSS in Feehi CMS Page Sign Parameter

Tue, 07 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:feehi:feehi_cms:2.1.1:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Title Authenticated Stored XSS in Feehi CMS Page Sign Parameter
First Time appeared Feehi
Feehi feehi Cms
Weaknesses CWE-79
Vendors & Products Feehi
Feehi feehi Cms

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description An authenticated stored cross-site scripting (XSS) vulnerability in Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Page Sign parameter.
References

Subscriptions

Feehi Feehi Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-09T20:27:09.742Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31350

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-04-06T16:16:32.807

Modified: 2026-04-09T21:16:09.183

Link: CVE-2026-31350

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:52:53Z

Weaknesses