Primary

Context

Feehi CMS Stored Cross-Site Scripting Vulnerability in Permissions Module

Vulnerability

A stored cross-site scripting vulnerability has been identified in the Permissions module of Feehi CMS version 2.1.1. This vulnerability allows authenticated users with permission creation rights to inject malicious scripts into the Group, Category, or Description fields. The lack of input sanitization enables these scripts to be executed later, particularly on critical pages such as 'Create Admin User'.

Impact

Exploiting this vulnerability allows injected scripts to be executed in the context of the user, potentially leading to cookie theft and impersonation of the admin user.

Reproduction

To reproduce this vulnerability, create a new permission and inject a script payload into the Group, Category, or Description fields. Once the permission is saved, create a new admin user. The injected script will execute, demonstrating the cross-site scripting vulnerability.

Added: Apr 6, 2026, 4:42 PM

Updated: Apr 6, 2026, 4:42 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

6.5

remediation

0.0

relevance

5.4

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

6.5

remediation

0.0

relevance

5.4

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Feehi CMS Stored Cross-Site Scripting Vulnerability in Permissions Module

Vulnerability

Impact

Reproduction

Affected Products

Feehi CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating