{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31351", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-06T19:57:55.444Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-06T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-06T15:14:57.954Z"}, "descriptions": [{"lang": "en", "value": "An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/liufee/cms"}, {"url": "https://github.com/liufee/cms/issues/81"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T19:57:49.926079Z", "id": "CVE-2026-31351", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T19:57:55.444Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-31351", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T19:57:49.926079Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T19:57:40.002Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/liufee/cms"}, {"url": "https://github.com/liufee/cms/issues/81"}], "descriptions": [{"lang": "en", "value": "An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-06T15:14:57.954Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31351", "state": "PUBLISHED", "dateUpdated": "2026-04-06T19:57:55.444Z", "dateReserved": "2026-03-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-06T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:feehi:feehi_cms:2.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "C27559F1-734D-4924-AD35-EDC2DD9EDF7C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title parameter."}], "id": "CVE-2026-31351", "lastModified": "2026-04-07T21:14:30.467", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-06T16:16:32.917", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/liufee/cms"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Mitigation"], "url": "https://github.com/liufee/cms/issues/81"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.1.1"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 84.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "feehi_cms", "vendor": "feehi"}], "analysis": {"en": {"generated_at": "2026-04-07T23:53:57.893019+00:00", "value": {"mitigation_remediation": ["Upgrade Feehi CMS to a version where the Title field input is properly sanitized and encoded", "If an upgrade is not possible, limit editing permissions to trusted users", "Disable or remove the vulnerable Title field from the content editor to block payload injection"], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects only the Feehi CMS product. The specific version impacted is 2.1.1, as identified by the CNAs and the reported CPE. No other vendors or product variants are listed. Systems running this version should verify that they are not using custom modules that extend the Title field, as the flaw is tied to that data entry point.", "description_and_impact": "An authenticated stored cross\u2011site scripting flaw exists in the content creation and editing module of Feehi CMS version 2.1.1. By inserting malicious HTML or JavaScript into the Title field, a logged\u2011in user with sufficient privileges can store a payload that will execute whenever the page is viewed. This allows an attacker to hijack user sessions, deface the website, or steal credentials via client\u2011side attacks. The weakness is classified as CWE\u201179, indicating a lack of proper input validation or output encoding.", "risk_and_exploitability": "The CVSS base score of 4.8 points to medium severity and the EPSS probability is less than 1%, implying that the vulnerability is not widely exploited at present. It does not appear in the CISA KEV list, meaning no confirmed active exploitation reports. The attack requires authentication with editing rights, which is a prerequisite for exploitation. Once the payload is stored it will execute for all users who view the affected content."}}}}, "created": "2026-04-06T20:21:55.962931+00:00", "title": "Authenticated Stored XSS via Title in Feehi CMS 2.1.1", "updated": "2026-04-08T19:52:55.734053+00:00", "vendors": ["feehi", "feehi$PRODUCT$feehi_cms"]}