Description
Multiple authenticated stored cross-site scripting (XSS) vulnerabilities in the Permissions module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Group, Category or Description parameters.
Published: 2026-04-06
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Assess
AI Analysis

Impact

Authenticated users can save malicious scripts through the Group, Category and Description fields in the Permissions module of Feehi CMS 2.1.1. These payloads are stored and later rendered when other users view the permissions data, allowing attackers to execute arbitrary client‑side code. This stored XSS (CWE‑79) can lead to session hijacking, defacement or phishing attempts, compromising confidentiality, integrity or availability of the application’s user interface.

Affected Systems

Version 2.1.1 of Feehi CMS, specifically its Permissions module. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests low likelihood of exploitation in the wild. The vulnerability requires authenticated access, so an attacker must know valid credentials. It is not listed in the CISA KEV catalog. The primary attack vector is via normal CMS operations by an authenticated user submitting a crafted payload to the affected fields.

Generated by OpenCVE AI on April 7, 2026 at 23:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for an official update or patch that removes the vulnerability in Feehi CMS.
  • If no patch is available, restrict access to the Permissions module to trusted administrators only.
  • Implement server‑side input sanitization or output encoding for the Group, Category, and Description fields.
  • Deploy a Web Application Firewall rule to block or escape script tags submitted to these fields.
  • Monitor web logs for unusual payloads and inspect permission changes for suspicious activity.

Generated by OpenCVE AI on April 7, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xqm9-6qmm-xrqh Feehi CMS has authenticated stored cross-site scripting (XSS) vulnerabilities via the Permissions module
History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Multiple Authenticated Stored XSS in Feehi CMS Permissions Module

Tue, 07 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:feehi:feehi_cms:2.1.1:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Title Multiple Authenticated Stored XSS in Feehi CMS Permissions Module
First Time appeared Feehi
Feehi feehi Cms
Weaknesses CWE-79
Vendors & Products Feehi
Feehi feehi Cms

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Multiple authenticated stored cross-site scripting (XSS) vulnerabilities in the Permissions module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Group, Category or Description parameters.
References

Subscriptions

Feehi Feehi Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-09T20:23:57.689Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31354

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-04-06T16:16:33.260

Modified: 2026-04-09T21:16:09.793

Link: CVE-2026-31354

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:52:49Z

Weaknesses