CVE-2026-31352 - Vulnerability Details

Description

An authenticated stored cross-site scripting (XSS) vulnerability in the Role Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Role Name parameter.

Published: 2026-04-06

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An authenticated stored cross‑site scripting vulnerability exists in the Role Management module of Feehi CMS 2.1.1. The flaw allows an attacker to inject arbitrary JavaScript or HTML into the Role Name field, which is later rendered when users view the role data. The malicious code executes in the browsers of any user who accesses the compromised role entry, enabling manipulation of the front‑end or execution of scripts in the victim’s browser context. This vulnerability is identified as CWE‑79.

Affected Systems

The only documented affected product is Feehi CMS version 2.1.1. No other products or versions are mentioned. The issue is confined to the Role Management component of that release.

Risk and Exploitability

The CVSS base score is 5.4, indicating a moderate severity. The EPSS score is below 1 %, reflecting a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw requires an authenticated session with permission to modify roles, it cannot be triggered by an unauthenticated user. An attacker who gains administrative access could inject the payload, affecting every user who subsequently views the role data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:feehi:feehi_cms:2.1.1:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Feehi

Feehi Cms

84%

Version	Status	Scheme	Platform
`2.1.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check that your installed version is Feehi CMS 2.1.1 and that Role Management is enabled
Search the project repository or issue tracker for a patched release; apply any update immediately
If a fix is not yet available, restrict or disable the Role Management feature for non‑admin users
Ensure that role name input is properly sanitized or that output is escaped to prevent XSS
Limit role‑editing privileges to trusted administrators only
Monitor application logs for unusual role creation or modification activity

Generated by OpenCVE AI on April 7, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-hqjc-wfvx-x2fv	Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Role Management module

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/liufee/cms
https://github.com/liufee/cms/issues/83

History

Fri, 10 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 08 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Title	Authenticated Stored XSS in Feehi CMS Role Management

Tue, 07 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:feehi:feehi_cms:2.1.1:::::::*
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Title		Authenticated Stored XSS in Feehi CMS Role Management
First Time appeared		Feehi Feehi feehi Cms
Weaknesses		CWE-79
Vendors & Products		Feehi Feehi feehi Cms

Mon, 06 Apr 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		An authenticated stored cross-site scripting (XSS) vulnerability in the Role Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Role Name parameter.
References		https://github.com/liufee/cms https://github.com/liufee/cms/issues/83

Subscriptions

Feehi Feehi Cms

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-06T00:00:00.000Z

Updated: 2026-04-09T20:25:29.794Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31352

Vulnrichment

Updated: 2026-04-09T18:05:27.433Z

NVD

Status : Modified

Published: 2026-04-06T16:16:33.027

Modified: 2026-04-09T21:16:09.390

Link: CVE-2026-31352

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-08T19:52:52Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object