Description
An authenticated stored cross-site scripting (XSS) vulnerability in the Category module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter.
Published: 2026-04-06
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting that allows an authenticated attacker to inject arbitrary scripts via the category name field
Action: Patch immediately
AI Analysis

Impact

The vulnerability occurs in the Category module of Feehi CMS 2.1.1. An attacker who can authenticate to the administration interface can submit a specially crafted value for the Name field. The input is stored and later rendered as part of the web page without proper encoding, allowing execution of arbitrary JavaScript or injection of HTML. This can be used to deface pages, steal session cookies, or perform phishing attacks against users who view the affected page.

Affected Systems

The affected product is Feehi CMS, version 2.1.1. The Category module of this CMS is susceptible to the stored XSS. Administrators using this version should verify whether they are running the identified version or a later release with the fix.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. The EPSS score is below 1 %, reflecting a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access to create or edit a category, so a legitimate user account or a compromised credential is necessary. Once an attacker injects a payload, any visitor to the page that displays the category name can run the code, potentially leading to data theft or defacement.

Generated by OpenCVE AI on April 7, 2026 at 23:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an official patch or update to a later version of Feehi CMS that removes the vulnerability.
  • If no patch is available, limit the administrator scope to trusted users and monitor for unusual category names.
  • Implement server‑side input validation or output encoding for the category name field to neutralize script payloads.
  • Enable browser‑level XSS protection and enforce Content Security Policy to restrict execution of injected scripts.
  • Regularly audit CMS logs for unauthorized changes to category data.

Generated by OpenCVE AI on April 7, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-664p-j3q6-p843 Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Category module
History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Authenticated Stored XSS in Feehi CMS Category Module

Tue, 07 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:feehi:feehi_cms:2.1.1:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Feehi
Feehi feehi Cms
Vendors & Products Feehi
Feehi feehi Cms

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Title Authenticated Stored XSS in Feehi CMS Category Module
Weaknesses CWE-79

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description An authenticated stored cross-site scripting (XSS) vulnerability in the Category module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter.
References

Subscriptions

Feehi Feehi Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-09T20:24:41.932Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31353

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-04-06T16:16:33.130

Modified: 2026-04-09T21:16:09.590

Link: CVE-2026-31353

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:52:51Z

Weaknesses