CVE-2026-31351
Stored XSS in Feehi CMS 2.1.1 Title Parameter Allows Script Execution
Publication date: 2026-04-06
Last updated on: 2026-04-07
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| feehi | feehi_cms | 2.1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The stored cross-site scripting (XSS) vulnerability in Feehi CMS v2.1.1 allows attackers to execute arbitrary scripts in the browsers of users who view the affected content. This can lead to the theft of sensitive information such as cookies, which may include authentication tokens or personal data.
Such unauthorized access or exposure of personal data can impact compliance with data protection regulations like GDPR and HIPAA, which require organizations to protect user data from unauthorized access and ensure data integrity and confidentiality.
Failure to mitigate this vulnerability could result in breaches of confidentiality, potentially leading to regulatory penalties or loss of trust.
Can you explain this vulnerability to me?
CVE-2026-31351 is a Stored Cross-Site Scripting (Stored XSS) vulnerability found in Feehi CMS version 2.1.1. It occurs because the CMS allows authenticated users to create or edit articles but does not properly sanitize or filter the input in the article title field.
This means an attacker with valid credentials can inject malicious scripts or HTML code into the Title parameter of an article. The injected payload is stored persistently in the database.
When other users or administrators view the affected article, the malicious script executes in their browsers, potentially allowing the attacker to steal cookies or perform other harmful actions.
How can this vulnerability impact me? :
This vulnerability can have several impacts including:
- Execution of arbitrary web scripts in the browsers of users or administrators viewing the affected article.
- Potential theft of sensitive information such as cookies, which could lead to session hijacking.
- Compromise of user confidentiality due to unauthorized access to sensitive data.
- Low impact on data integrity and no impact on availability, but the confidentiality breach can be significant.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to create a new article in Feehi CMS v2.1.1 and injecting a crafted XSS payload into the article title field. If the payload is stored and executed when viewing the article, the vulnerability is present.
- Step 1: Log in as an authenticated user with article creation privileges.
- Step 2: Create a new article and insert a test XSS payload (e.g., <script>alert('XSS')</script>) into the title field.
- Step 3: Save the article.
- Step 4: View the article as another user or administrator to check if the script executes.
There are no specific network commands provided, but this manual test within the CMS interface is the primary detection method.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing input filtering to remove or neutralize harmful tags or event handlers in the article title field.
- Use a whitelist approach to allow only safe HTML tags if tag usage is necessary.
- Restrict article creation and editing privileges to trusted authenticated users.
- Apply any available patches or updates from Feehi CMS addressing this vulnerability.