CVE-2026-31350: Feehi CMS Stored XSS Vulnerability

CVE-2026-31350 Overview

An authenticated stored cross-site scripting (XSS) vulnerability has been identified in Feehi CMS version 2.1.1. This vulnerability allows authenticated attackers to inject malicious web scripts or HTML content through the Page Sign parameter. Once stored, the malicious payload executes in the browsers of other users who access the affected page, potentially leading to session hijacking, credential theft, or further attacks against CMS administrators and users.

Critical Impact

Authenticated attackers can persistently inject malicious scripts that execute in victim browsers, enabling session hijacking, administrative account compromise, and potential lateral movement within the CMS environment.

Affected Products

• Feehi CMS version 2.1.1
• feehi:feehi_cms (cpe:2.3:a:feehi:feehi_cms:2.1.1:*:*:*:*:*:*:*)

Discovery Timeline

• 2026-04-06 - CVE-2026-31350 published to NVD
• 2026-04-09 - Last updated in NVD database

Technical Details for CVE-2026-31350

Vulnerability Analysis

CVE-2026-31350 represents a stored cross-site scripting (XSS) vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability exists within the Page Sign parameter functionality of Feehi CMS. When an authenticated user submits content through this parameter, the application fails to properly sanitize or encode user-supplied input before storing it in the database and subsequently rendering it in web pages.

The stored nature of this XSS vulnerability makes it particularly dangerous. Unlike reflected XSS attacks that require victims to click malicious links, stored XSS payloads persist in the application's database and automatically execute whenever users access the compromised page. This characteristic enables attackers to target multiple victims over time, including privileged administrators who may have elevated access to the CMS.

The attack requires authentication (low privileges), meaning an attacker must have a valid account on the Feehi CMS installation. However, once authenticated, the attacker can inject payloads that affect other authenticated users, including those with higher privilege levels. The scope is changed, indicating that the vulnerable component (the CMS) impacts resources beyond its own security scope—namely, the browsers and sessions of other users.

Root Cause

The root cause of this vulnerability is insufficient input validation and output encoding in the Page Sign parameter handling functionality. Feehi CMS version 2.1.1 does not properly sanitize user-controlled input before storing it in the database, nor does it apply appropriate output encoding when rendering the stored content back to users. This allows HTML and JavaScript code submitted by attackers to be preserved and executed as active content rather than being treated as harmless text.

Attack Vector

The attack is network-accessible and requires low privileges (authentication) along with user interaction from the victim. An authenticated attacker crafts a malicious payload containing JavaScript or HTML code and submits it through the Page Sign parameter. The malicious content is stored in the CMS database. When other users—particularly administrators—view the page containing the injected content, their browsers execute the malicious script within the security context of the CMS application.

Potential attack scenarios include:

• Session Hijacking: The injected script can steal session cookies and transmit them to an attacker-controlled server
• Credential Theft: Fake login forms can be injected to capture administrator credentials
• Administrative Actions: Scripts can perform actions on behalf of authenticated administrators, such as creating new admin accounts or modifying CMS content
• Malware Distribution: The CMS can be weaponized to serve malware to site visitors

The vulnerability exploits the trust relationship between the CMS and its users' browsers. For detailed technical information, refer to the GitHub Issue #82 Discussion which documents the vulnerability.

Detection Methods for CVE-2026-31350

Indicators of Compromise

• Unexpected JavaScript code or HTML tags appearing in Page Sign database fields or rendered page content
• User reports of browser warnings, unexpected popups, or redirects when accessing CMS pages
• Anomalous outbound network requests from user browsers to unknown external domains after viewing CMS content
• Unauthorized administrative account creation or configuration changes without corresponding legitimate administrator activity

Detection Strategies

• Implement web application firewall (WAF) rules to detect XSS payloads in HTTP POST requests targeting the Page Sign parameter
• Deploy content security policy (CSP) headers to restrict script execution sources and report violations
• Monitor application logs for suspicious input patterns including <script> tags, event handlers (onerror, onload), and JavaScript URIs
• Conduct periodic database audits to identify stored content containing potential XSS payloads

Monitoring Recommendations

• Enable detailed logging for all CMS administrative actions and page modifications
• Configure browser-side CSP violation reporting to capture attempted XSS execution
• Implement real-time alerting for database content containing HTML or JavaScript injection patterns
• Monitor network traffic for data exfiltration attempts originating from user browsers after accessing CMS pages

How to Mitigate CVE-2026-31350

Immediate Actions Required

• Audit existing Page Sign database content for previously injected malicious payloads and sanitize or remove any identified threats
• Restrict CMS account creation and limit the number of authenticated users who can modify Page Sign content
• Implement strict Content Security Policy (CSP) headers to mitigate the impact of any existing XSS payloads
• Review user activity logs for suspicious behavior and investigate any accounts that may have been used for injection attempts

Patch Information

As of the last modification date, users should monitor the Feehi CMS GitHub repository for updates addressing this vulnerability. The issue has been documented in GitHub Issue #82. Organizations are advised to check for new releases and apply any security patches as soon as they become available.

Workarounds

• Implement server-side input validation to strip or encode HTML and JavaScript from the Page Sign parameter before storage
• Deploy a web application firewall (WAF) with XSS detection rules to filter malicious input at the network edge
• Apply strict output encoding (HTML entity encoding) when rendering user-supplied content from the Page Sign parameter
• Restrict Page Sign modification capabilities to highly trusted administrators only until a vendor patch is available
• Implement Content Security Policy headers with script-src 'self' to prevent inline script execution

# Example Content Security Policy header configuration for Apache
# Add to .htaccess or httpd.conf to mitigate XSS impact
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none'; form-action 'self';"

# Example for Nginx
# Add to server block configuration
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none'; form-action 'self';";