CVE-2026-31350
Stored XSS in Feehi CMS v2.1.1 via Page Sign Parameter
Publication date: 2026-04-06
Last updated on: 2026-04-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| feehi | feehi_cms | 2.1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary web scripts in the context of the affected website. Potential impacts include stealing victim cookies, which can lead to session hijacking, performing unauthorized actions on behalf of users, and other malicious activities. The vulnerability requires an attacker to have authenticated access and some user interaction, but it can compromise confidentiality significantly.
Can you explain this vulnerability to me?
CVE-2026-31350 is a stored cross-site scripting (XSS) vulnerability found in Feehi CMS version 2.1.1. It occurs because authenticated users can inject malicious JavaScript code into the 'Page Sign' parameter without proper input sanitization or filtering. This malicious code is then stored persistently in the database and executed when other users view the affected page.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to create a new page in Feehi CMS version 2.1.1 and injecting a crafted XSS payload into the Page Sign field. If the payload is stored and executed when viewing the page, the vulnerability exists.
- Create a new page in Feehi CMS.
- Insert a JavaScript XSS payload into the Page Sign field.
- Save the page and then view it to check if the payload executes.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing input filtering to sanitize or restrict tags and events in the Page Sign field.
A whitelist approach should be used to allow only certain safe tags if tag usage is necessary.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute arbitrary scripts via stored cross-site scripting (XSS), potentially leading to the theft of sensitive information such as user cookies. This can result in unauthorized access to user data, which may violate data protection requirements under standards like GDPR and HIPAA.
Specifically, the high confidentiality impact indicated by the CVSS score suggests that sensitive information could be exposed, which is a concern for compliance with regulations that mandate protection of personal and health information.
Mitigating this vulnerability by implementing proper input sanitization and filtering is essential to maintain compliance with these standards.