{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31354", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-06T15:52:11.838Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-06T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-06T15:52:11.838Z"}, "descriptions": [{"lang": "en", "value": "Multiple authenticated stored cross-site scripting (XSS) vulnerabilities in the Permissions module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Group, Category or Description parameters."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/liufee/cms"}, {"url": "https://github.com/liufee/cms/issues/85"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple authenticated stored cross-site scripting (XSS) vulnerabilities in the Permissions module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Group, Category or Description parameters."}], "id": "CVE-2026-31354", "lastModified": "2026-04-06T16:16:33.260", "metrics": {}, "published": "2026-04-06T16:16:33.260", "references": [{"source": "cve@mitre.org", "url": "https://github.com/liufee/cms"}, {"source": "cve@mitre.org", "url": "https://github.com/liufee/cms/issues/85"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.1.1"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 84.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "feehi_cms", "vendor": "feehi"}], "analysis": {"en": {"generated_at": "2026-04-06T19:41:26.356993+00:00", "value": {"mitigation_remediation": ["Apply the official patch or upgrade to the latest version of Feehi CMS that resolves the XSS flaw.", "If a patch is not yet available, sanitize all input for the Group, Category and Description fields by escaping HTML special characters or using a whitelist approach.", "Disable or remove the Permissions module if it is not required for the site\u2019s functionality.", "Configure a Web Application Firewall to block script payloads targeting the vulnerable parameters."], "summary": {"action": "Immediate Patch", "impact": "Stored cross\u2011site scripting allowing arbitrary web script execution"}, "threat_synthesis": {"affected_systems": "Feehi CMS version 2.1.1 is affected. No other versions or vendors are reported in the CVE entry. Only this specific version is listed as vulnerable.", "description_and_impact": "The vulnerability is a stored cross\u2011site scripting flaw that requires authentication and affects the Permissions module of Feehi CMS. A malicious user can craft input for the Group, Category or Description fields that is stored and later presented to other authenticated users. This allows execution of arbitrary JavaScript or HTML in a victim\u2019s browser, potentially leading to session hijacking, theft of credentials, or redirection to phishing sites. The weakness is a classic web input sanitation flaw, typically mapped to the Common Weakness Enumeration identifier for Cross\u2011Site Scripting.", "risk_and_exploitability": "The score for this issue is not available, and it is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no documented exploitation yet. The likely attack vector requires a valid authenticated session, so an attacker would need credentials or administrative access to the CMS. The risk level is considered moderate to high for organizations running the affected version, as successful exploitation could compromise user accounts and site integrity. Without a public exploit, the threat is primarily theoretical but still actionable given the severity of the potential impact."}}}}, "created": "2026-04-06T20:21:51.784506+00:00", "title": "Multiple Authenticated Stored XSS in Feehi CMS Permissions Module", "updated": "2026-04-06T21:47:41.832410+00:00", "vendors": ["feehi", "feehi$PRODUCT$feehi_cms"], "weaknesses": ["CWE-79"]}