{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31350", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-06T15:34:15.550Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-06T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-06T15:34:15.550Z"}, "descriptions": [{"lang": "en", "value": "An authenticated stored cross-site scripting (XSS) vulnerability in Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Page Sign parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/liufee/cms"}, {"url": "https://github.com/liufee/cms/issues/82"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:feehi:feehi_cms:2.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "C27559F1-734D-4924-AD35-EDC2DD9EDF7C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An authenticated stored cross-site scripting (XSS) vulnerability in Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Page Sign parameter."}], "id": "CVE-2026-31350", "lastModified": "2026-04-07T21:14:34.270", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-06T16:16:32.807", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/liufee/cms"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Mitigation"], "url": "https://github.com/liufee/cms/issues/82"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.1.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "feehi_cms", "vendor": "feehi"}], "analysis": {"en": {"generated_at": "2026-04-06T19:42:11.736679+00:00", "value": {"mitigation_remediation": ["Identify if your system runs Feehi CMS v2.1.1.", "Check the project\u2019s GitHub releases for an updated version; download and install the latest release.", "If an update is unavailable, apply the official patch provided by the maintainers or modify the Page Sign handling code to properly escape output.", "Limit administrative and editor access to trusted users only.", "Regularly audit web pages for unexpected scripts and monitor for suspicious activity."], "summary": {"action": "Patch", "impact": "Authenticated stored cross\u2011site scripting allowing arbitrary script execution"}, "threat_synthesis": {"affected_systems": "Feehi CMS version 2.1.1 on any deployment where the Page Sign feature is enabled. The flaw requires an authenticated session with privileges sufficient to modify page content.", "description_and_impact": "An authenticated attacker can insert a malicious payload into the Page Sign parameter of Feehi CMS v2.1.1. This stored cross\u2011site scripting flaw permits injection of arbitrary JavaScript or HTML, which is then executed in the browsers of any user who views the affected page. The vulnerability can lead to session hijacking, defacement, data theft, or further injection of malware. The weakness corresponds to improper neutralization of input during web page generation.", "risk_and_exploitability": "The CVSS score is not publicly disclosed, and no EPSS data is available. The flaw is not listed in the CISA KEV catalog. Nonetheless, because it is a stored XSS that requires authentication, exploitability is moderate: an attacker who can log in or compromise an authenticated account can exploit it. The attack vector is inferred to be through the web interface after authentication, as indicated by the description of manipulating a signed page parameter."}}}}, "created": "2026-04-06T20:21:53.829021+00:00", "title": "Authenticated Stored XSS in Feehi CMS Page Sign Parameter", "updated": "2026-04-06T21:47:44.874962+00:00", "vendors": ["feehi", "feehi$PRODUCT$feehi_cms"], "weaknesses": ["CWE-79"]}