{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31353", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-06T15:58:06.933Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-06T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-06T15:58:06.933Z"}, "descriptions": [{"lang": "en", "value": "An authenticated stored cross-site scripting (XSS) vulnerability in the Category module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/liufee/cms"}, {"url": "https://github.com/liufee/cms/issues/84"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An authenticated stored cross-site scripting (XSS) vulnerability in the Category module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter."}], "id": "CVE-2026-31353", "lastModified": "2026-04-06T16:16:33.130", "metrics": {}, "published": "2026-04-06T16:16:33.130", "references": [{"source": "cve@mitre.org", "url": "https://github.com/liufee/cms"}, {"source": "cve@mitre.org", "url": "https://github.com/liufee/cms/issues/84"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.1.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "feehi_cms", "vendor": "feehi"}], "analysis": {"en": {"generated_at": "2026-04-06T20:07:53.219786+00:00", "value": {"mitigation_remediation": ["Update Feehi CMS to a patched version that addresses the XSS flaw", "If a patch is unavailable, restrict category\u2011management permissions to trusted administrators only", "Implement server\u2011side input validation or sanitization on the Name field to remove script tags and dangerous content", "Monitor application logs for unexpected category creation or modification activity"], "summary": {"action": "Patch", "impact": "Stored cross-site scripting with arbitrary script execution"}, "threat_synthesis": {"affected_systems": "The affected product is Feehi CMS version 2.1.1 with the Category module enabled. Only installations that use that module and allow users to modify category names are impacted.", "description_and_impact": "An authenticated stored cross\u2011site scripting vulnerability exists in the Category module of Feehi CMS. The flaw allows a user with permission to create or edit a category to inject a crafted payload into the Name field, which is stored and rendered on subsequent page views. The injected content can contain arbitrary scripts or HTML.", "risk_and_exploitability": "The vulnerability requires authenticated access; unauthenticated users cannot exploit it directly. The lack of CVSS, EPSS, and KEV data suggests no known widespread exploitation. The likely attack vector is an authenticated user with category\u2011management privileges, and the primary risk is to the browsers of users who view the compromised category pages, potentially exposing sensitive client\u2011side data or enabling phishing. No evidence indicates that a server\u2011side compromise can be achieved through this flaw."}}}}, "created": "2026-04-06T21:47:42.912400+00:00", "title": "Authenticated Stored XSS in Feehi CMS Category Module", "updated": "2026-04-07T09:39:42.631444+00:00", "vendors": ["feehi", "feehi$PRODUCT$feehi_cms"], "weaknesses": ["CWE-79"]}