CVE-2026-31352
Stored XSS in Feehi CMS Role Management Allows Script Injection
Publication date: 2026-04-06
Last updated on: 2026-04-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| feehi | feehi_cms | 2.1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The stored cross-site scripting (XSS) vulnerability in Feehi CMS v2.1.1 can lead to the theft of administrator cookies and potential session compromise. This unauthorized access to sensitive administrative sessions could result in exposure or misuse of personal or protected data managed by the CMS.
Such exposure and compromise of sensitive data may negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and breaches.
Therefore, if exploited, this vulnerability could lead to violations of data protection requirements mandated by these regulations.
Can you explain this vulnerability to me?
CVE-2026-31352 is a stored cross-site scripting (XSS) vulnerability in the Role Management module of Feehi CMS version 2.1.1. It occurs because the system does not properly sanitize or filter input in the Role Name field. An attacker with administrative privileges can inject malicious JavaScript code into the role name, which is then stored persistently in the database.
When an administrator later views the list of roles or logs, the malicious script executes in their browser. This can lead to theft of administrator cookies and potentially compromise their sessions.
How can this vulnerability impact me? :
This vulnerability can allow attackers with administrative privileges to execute arbitrary scripts in the context of other administrators' browsers. This can result in the theft of session cookies, leading to session hijacking and unauthorized access.
The impact includes potential compromise of administrator accounts, escalation of privileges, and unauthorized actions within the CMS. It requires network access, low attack complexity, and user interaction, but the attacker must have high privileges to inject the payload.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to create a new role in the Feehi CMS Role Management module and injecting a crafted XSS payload into the Role Name parameter. If the system does not properly sanitize or filter the input, the payload will be stored and executed when viewing the roles.
A practical detection method involves these steps:
- Log in as an administrator to the Feehi CMS.
- Create a new role and insert a simple XSS payload (e.g., <script>alert('XSS')</script>) into the Role Name field.
- Save the role and then view the list of roles or logs where the role name is displayed.
If the alert box appears or the script executes, the vulnerability is present.
There are no specific network commands provided, but monitoring HTTP requests for suspicious input in the Role Name parameter or scanning the database for stored scripts in role names can also help detect exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Implement input filtering to remove or neutralize HTML tags and event handlers in the Role Name parameter.
- Encode special characters such as <, >, (, and ) to prevent script execution.
- Restrict administrative privileges to trusted users only, as the vulnerability requires high privileges to exploit.
- Avoid viewing role names or logs in an untrusted environment until the vulnerability is patched.