{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31353", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-09T20:24:41.932Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-06T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-06T15:58:06.933Z"}, "descriptions": [{"lang": "en", "value": "An authenticated stored cross-site scripting (XSS) vulnerability in the Category module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/liufee/cms"}, {"url": "https://github.com/liufee/cms/issues/84"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "references": [{"url": "https://github.com/liufee/cms/issues/84", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T18:05:39.900400Z", "id": "CVE-2026-31353", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T20:24:41.932Z"}}]}, "dataVersion": "5.2"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:feehi:feehi_cms:2.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "C27559F1-734D-4924-AD35-EDC2DD9EDF7C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An authenticated stored cross-site scripting (XSS) vulnerability in the Category module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter."}], "id": "CVE-2026-31353", "lastModified": "2026-04-09T21:16:09.590", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-06T16:16:33.130", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/liufee/cms"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/liufee/cms/issues/84"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/liufee/cms/issues/84"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.1.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "feehi_cms", "vendor": "feehi"}], "analysis": {"en": {"generated_at": "2026-04-07T23:27:51.327664+00:00", "value": {"mitigation_remediation": ["Apply an official patch or update to a later version of Feehi\u202fCMS that removes the vulnerability.", "If no patch is available, limit the administrator scope to trusted users and monitor for unusual category names.", "Implement server\u2011side input validation or output encoding for the category name field to neutralize script payloads.", "Enable browser\u2011level XSS protection and enforce Content Security Policy to restrict execution of injected scripts.", "Regularly audit CMS logs for unauthorized changes to category data."], "summary": {"action": "Patch immediately", "impact": "Stored cross\u2011site scripting that allows an authenticated attacker to inject arbitrary scripts via the category name field"}, "threat_synthesis": {"affected_systems": "The affected product is Feehi\u202fCMS, version\u202f2.1.1. The Category module of this CMS is susceptible to the stored XSS. Administrators using this version should verify whether they are running the identified version or a later release with the fix.", "description_and_impact": "The vulnerability occurs in the Category module of Feehi\u202fCMS\u202f2.1.1. An attacker who can authenticate to the administration interface can submit a specially crafted value for the Name field. The input is stored and later rendered as part of the web page without proper encoding, allowing execution of arbitrary JavaScript or injection of HTML. This can be used to deface pages, steal session cookies, or perform phishing attacks against users who view the affected page.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity. The EPSS score is below\u202f1\u202f%, reflecting a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access to create or edit a category, so a legitimate user account or a compromised credential is necessary. Once an attacker injects a payload, any visitor to the page that displays the category name can run the code, potentially leading to data theft or defacement."}}}}, "created": "2026-04-06T21:47:42.912400+00:00", "updated": "2026-04-08T19:52:51.191307+00:00", "vendors": ["feehi", "feehi$PRODUCT$feehi_cms"]}