{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31352", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-06T15:37:58.734Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-06T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-06T15:37:58.734Z"}, "descriptions": [{"lang": "en", "value": "An authenticated stored cross-site scripting (XSS) vulnerability in the Role Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Role Name parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/liufee/cms"}, {"url": "https://github.com/liufee/cms/issues/83"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:feehi:feehi_cms:2.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "C27559F1-734D-4924-AD35-EDC2DD9EDF7C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An authenticated stored cross-site scripting (XSS) vulnerability in the Role Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Role Name parameter."}], "id": "CVE-2026-31352", "lastModified": "2026-04-07T21:14:23.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-06T16:16:33.027", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/liufee/cms"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Mitigation"], "url": "https://github.com/liufee/cms/issues/83"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.1.1"}}], "enrichment": {"confidence": 84.0, "confidence_source": "matching", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 84.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "feehi_cms", "vendor": "feehi"}], "analysis": {"en": {"generated_at": "2026-04-06T19:41:54.682344+00:00", "value": {"mitigation_remediation": ["Check the Feehi CMS vendor site or community forums for a patched release that addresses the stored XSS in the Role Management module.", "If a patch is not yet available, restrict editing of roles to trusted administrators only and remove role editing capabilities for other users.", "Implement input validation or output encoding on the Role Name field to neutralize XSS payloads.", "Deploy a web application firewall rule set that blocks common XSS attack strings against the Role Name endpoint.", "Apply a Content Security Policy header to limit the execution of injected scripts and to mitigate the impact of any remaining XSS vectors."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting allows attackers to execute arbitrary scripts in users\u2019 browsers."}, "threat_synthesis": {"affected_systems": "The vulnerability exists in Feehi CMS version 2.1.1. No other affected versions or vendors are listed in the available data.", "description_and_impact": "An authenticated user can inject malicious payloads into the Role Name field of the Role Management module in Feehi CMS. Because the input is stored and later rendered without filtering, the attacker can execute arbitrary JavaScript or HTML when the role data is displayed, enabling session hijacking, defacement, or redirection of site visitors.", "risk_and_exploitability": "The CVSS score and EPSS metrics are not provided, but the vulnerability requires legitimate authentication and will affect all users who view the role data. In the absence of a public exploit, the risk is moderate to high for authenticated users. Because this flaw allows remote script execution, it can compromise confidentiality, integrity, and availability of the application and its users."}}}}, "created": "2026-04-06T20:21:52.786769+00:00", "title": "Authenticated Stored XSS in Feehi CMS Role Management", "updated": "2026-04-06T21:47:43.852318+00:00", "vendors": ["feehi", "feehi$PRODUCT$feehi_cms"], "weaknesses": ["CWE-79"]}