Aggregates CVE and security vulnerability intelligence across all feehi-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk cross-site scripting and vendor risk ssrf and related problems; some flaws may lead to vendor impact session compromise, affecting vendor surface software deployment scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-31313 | An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Content field. | [email protected] | 5.4 | 0.02% | 2026-04-06 | 2026-04-09 |
| CVE-2026-31354 | Multiple authenticated stored cross-site scripting (XSS) vulnerabilities in the Permissions module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Group, Category or Description parameters. | [email protected] | 5.4 | 0.01% | 2026-04-06 | 2026-04-09 |
| CVE-2026-31353 | An authenticated stored cross-site scripting (XSS) vulnerability in the Category module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter. | [email protected] | 5.4 | 0.02% | 2026-04-06 | 2026-04-09 |
| CVE-2026-31352 | An authenticated stored cross-site scripting (XSS) vulnerability in the Role Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Role Name parameter. | [email protected] | 5.4 | 0.02% | 2026-04-06 | 2026-04-09 |
| CVE-2026-31351 | An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title parameter. | [email protected] | 4.8 | 0.03% | 2026-04-06 | 2026-04-07 |
| CVE-2026-31350 | An authenticated stored cross-site scripting (XSS) vulnerability in Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Page Sign parameter. | [email protected] | 5.4 | 0.02% | 2026-04-06 | 2026-04-09 |
| CVE-2025-15264 | A vulnerability was determined in FeehiCMS up to 2.1.1. Impacted is an unknown function of the file frontend/web/timthumb.php of the component TimThumb. Executing manipulation of the argument src can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 5.5 | 0.03% | 2025-12-30 | 2026-04-29 |
| CVE-2025-65657 | FeehiCMS version 2.1.1 has a Remote Code Execution via Unrestricted File Upload in Ad Management. FeehiCMS version 2.1.1 allows authenticated remote attackers to upload files that the server later executes (or stores in an executable location) without sufficient validation, sanitization, or execution restrictions. An authenticated remote attacker can upload a crafted PHP file and cause the application or web server to execute it, resulting in remote code execution (RCE). | [email protected] | 6.5 | 0.08% | 2025-12-02 | 2025-12-19 |
| CVE-2025-63523 | FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented to clients as "read-only." An authenticated attacker can intercept and modify the parameter in transit and the backend accepts the changes. This can lead to unintended username changes. | [email protected] | 6.5 | 0.05% | 2025-12-01 | 2025-12-02 |
| CVE-2025-63522 | Reverse Tabnabbing vulnerability in FeehiCMS 2.1.1 in the Comments Management function | [email protected] | 4.6 | 0.03% | 2025-12-01 | 2025-12-02 |
| CVE-2025-63520 | Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.1.1 via the id parameter of the User Update function (?r=user%2Fupdate). | [email protected] | 6.1 | 0.03% | 2025-12-01 | 2025-12-02 |
| CVE-2024-8296 | A vulnerability was found in FeehiCMS up to 2.1.1 and classified as critical. This issue affects the function insert of the file /admin/index.php?r=user%2Fcreate. The manipulation of the argument User[avatar] leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 5.3 | 0.16% | 2024-08-29 | 2024-08-30 |
| CVE-2024-8295 | A vulnerability has been found in FeehiCMS up to 2.1.1 and classified as critical. This vulnerability affects the function createBanner of the file /admin/index.php?r=banner%2Fbanner-create. The manipulation of the argument BannerForm[img] leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 5.3 | 0.27% | 2024-08-29 | 2024-08-30 |
| CVE-2024-8294 | A vulnerability, which was classified as critical, was found in FeehiCMS up to 2.1.1. This affects the function update of the file /admin/index.php?r=friendly-link%2Fupdate. The manipulation of the argument FriendlyLink[image] leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 5.3 | 0.16% | 2024-08-29 | 2024-08-30 |
| CVE-2020-21489 | File Upload vulnerability in Feehicms v.2.0.8 allows a remote attacker to execute arbitrary code via the /admin/index.php?r=admin-user%2Fupdate-self component. | [email protected] | 9.8 | 1.66% | 2023-06-20 | 2024-12-09 |
| CVE-2020-21174 | File Upload vulenrability in liufee CMS v.2.0.7.1 allows a remote attacker to execute arbitrary code via the image suffix function. | [email protected] | 9.8 | 2.09% | 2023-06-20 | 2024-12-10 |
| CVE-2022-40373 | Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.1.1 allows remote attackers to run arbitrary code via upload of crafted XML file. | [email protected] | 5.4 | 0.26% | 2022-12-15 | 2025-04-21 |
| CVE-2022-40002 | Cross Site Scripting (XSS) vulnerability in FeehiCMS-2.1.1 allows remote attackers to run arbirtary code via the callback parameter to /cms/notify. | [email protected] | 5.4 | 0.17% | 2022-12-15 | 2025-04-21 |
| CVE-2022-40001 | Cross Site Scripting (XSS) vulnerability in FeehiCMS-2.1.1 allows remote attackers to run arbitrary code via the title field of the create article page. | [email protected] | 5.4 | 0.17% | 2022-12-15 | 2025-04-21 |
| CVE-2022-40000 | Cross Site Scripting (XSS) vulnerability in FeehiCMS-2.1.1 allows remote attackers to run arbitrary code via the username field of the admin log in page. | [email protected] | 5.4 | 0.17% | 2022-12-15 | 2025-04-21 |