CVE-2026-31353
Stored XSS in Feehi CMS Category Module Allows Script Injection
Publication date: 2026-04-06
Last updated on: 2026-04-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| feehi | feehi_cms | 2.1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31353 is a stored cross-site scripting (XSS) vulnerability in Feehi CMS version 2.1.1, specifically in the Category module. Authenticated users can inject malicious scripts into the Name parameter of a category because the input is not properly sanitized or filtered. This malicious script is then stored persistently and executed whenever the category name is displayed on various pages such as the home page, articles, and article categories.
How can this vulnerability impact me? :
The vulnerability allows attackers to execute arbitrary web scripts in the context of the victim's browser. If a user or administrator visits a page containing the malicious category, the attacker can steal the victimβs cookies, potentially compromising their session. This can lead to unauthorized access to user accounts and sensitive information. The CVSS score of 6.9 indicates a significant impact, with high confidentiality impact and low integrity impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious scripts injected into the Category module's Name parameter in Feehi CMS version 2.1.1. Since the vulnerability involves stored cross-site scripting, one way to detect it is to review the category names for suspicious or unexpected HTML or JavaScript code.
A practical approach is to query the database or use the CMS interface to list category names and look for script tags or other suspicious payloads.
- Use a database query to find suspicious entries, for example (assuming MySQL): SELECT id, name FROM category WHERE name LIKE '%<script>%';
- Manually inspect category names via the CMS admin panel for any unusual HTML or JavaScript code.
- Monitor HTTP responses from pages displaying categories for unexpected script execution or injected code.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating all inputs to the Category module, especially the Name parameter, to prevent injection of malicious scripts.
Since the vulnerability requires authenticated access with high privileges, restricting category creation and modification to trusted users can reduce risk.
- Apply input filtering or escaping on the category name field to remove or neutralize HTML and JavaScript code.
- Update Feehi CMS to a version where this vulnerability is fixed, if available.
- Review and remove any existing malicious category names from the database.
- Educate users and administrators to avoid clicking on suspicious links or categories until the issue is resolved.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The stored cross-site scripting (XSS) vulnerability in Feehi CMS v2.1.1 allows attackers to execute arbitrary scripts that can steal user cookies and potentially compromise user sessions. This can lead to unauthorized access to sensitive personal data.
Such unauthorized access and potential data breaches can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require organizations to protect personal data against unauthorized access and ensure data integrity and confidentiality.
Therefore, exploitation of this vulnerability could result in violations of these standards due to failure to adequately protect user data and prevent unauthorized data exposure.