CVE-2026-31354
Stored XSS in Feehi CMS Permissions Module Allows Script Injection
Publication date: 2026-04-06
Last updated on: 2026-04-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| feehi | feehi_cms | 2.1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31354 is a Stored Cross-Site Scripting (XSS) vulnerability found in Feehi CMS version 2.1.1, specifically in the Permissions module. Authenticated users who have permission to create or manage roles can inject malicious JavaScript code into the Group, Category, or Description fields. This malicious code is stored by the system and later executed when a superadmin visits critical pages, such as the "Create Admin User" page.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute malicious JavaScript code that can lead to the theft of admin cookies, potentially compromising administrative accounts and sensitive data.
Such unauthorized access and data exposure could result in violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.
Therefore, this vulnerability may negatively impact compliance with these standards by exposing confidential information and failing to maintain adequate security controls.
How can this vulnerability impact me? :
This vulnerability can lead to the execution of malicious scripts in the context of an administrator's browser. Specifically, when a superadmin accesses the affected page, the injected script can run and potentially steal sensitive information such as admin cookies. This can result in unauthorized access or privilege escalation within the CMS, compromising the confidentiality of the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious JavaScript code injected into the Group, Category, or Description fields within the Permissions module of Feehi CMS version 2.1.1.
Since the vulnerability involves stored cross-site scripting (XSS), detection involves inspecting the database or the input fields for suspicious script tags or payloads.
Suggested commands include querying the database for suspicious content in the relevant fields. For example, if using MySQL, you can run:
- SELECT * FROM permissions WHERE Group LIKE '%<script>%' OR Category LIKE '%<script>%' OR Description LIKE '%<script>%';
Additionally, monitoring HTTP requests and responses for injected scripts when authenticated users create or modify permissions can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the Permissions module to only trusted and necessary users with high privileges.
Ensure that input sanitization and validation are applied to the Group, Category, and Description fields to prevent injection of malicious scripts.
If possible, update Feehi CMS to a version where this vulnerability is patched.
As a temporary measure, review and remove any suspicious or unknown permissions that may contain malicious payloads.
Monitor admin user creation activities closely to detect any unusual behavior that might trigger the stored XSS payload.