Description
An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title parameter.
Published: 2026-04-06
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

An authenticated stored cross‑site scripting flaw exists in the content creation and editing module of Feehi CMS version 2.1.1. By inserting malicious HTML or JavaScript into the Title field, a logged‑in user with sufficient privileges can store a payload that will execute whenever the page is viewed. This allows an attacker to hijack user sessions, deface the website, or steal credentials via client‑side attacks. The weakness is classified as CWE‑79, indicating a lack of proper input validation or output encoding.

Affected Systems

The vulnerability affects only the Feehi CMS product. The specific version impacted is 2.1.1, as identified by the CNAs and the reported CPE. No other vendors or product variants are listed. Systems running this version should verify that they are not using custom modules that extend the Title field, as the flaw is tied to that data entry point.

Risk and Exploitability

The CVSS base score of 4.8 points to medium severity and the EPSS probability is less than 1%, implying that the vulnerability is not widely exploited at present. It does not appear in the CISA KEV list, meaning no confirmed active exploitation reports. The attack requires authentication with editing rights, which is a prerequisite for exploitation. Once the payload is stored it will execute for all users who view the affected content.

Generated by OpenCVE AI on April 7, 2026 at 23:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Feehi CMS to a version where the Title field input is properly sanitized and encoded
  • If an upgrade is not possible, limit editing permissions to trusted users
  • Disable or remove the vulnerable Title field from the content editor to block payload injection

Generated by OpenCVE AI on April 7, 2026 at 23:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cvjh-88c8-2jjx Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the creation/editing module
History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Authenticated Stored XSS via Title in Feehi CMS 2.1.1

Tue, 07 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:feehi:feehi_cms:2.1.1:*:*:*:*:*:*:*

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Authenticated Stored XSS in Feehi CMS 2.1.1 Title Field

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Title Authenticated Stored XSS in Feehi CMS 2.1.1 Title Field
First Time appeared Feehi
Feehi feehi Cms
Weaknesses CWE-79
Vendors & Products Feehi
Feehi feehi Cms
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title parameter.
References

Subscriptions

Feehi Feehi Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-06T19:57:55.444Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31351

cve-icon Vulnrichment

Updated: 2026-04-06T19:57:40.002Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T16:16:32.917

Modified: 2026-04-07T21:14:30.467

Link: CVE-2026-31351

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:52:55Z

Weaknesses