CVE-2025-63523

MEDIUM

FeehiCMS <2.1.1 - Info Disclosure

Title source: llm

Description

FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented to clients as "read-only." An authenticated attacker can intercept and modify the parameter in transit and the backend accepts the changes. This can lead to unintended username changes.

References (2)

[Exploit, Third Party Advisory] https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63523.md

View Exploit ZIP pw:eip

[Exploit, Issue Tracking, Vendor Advisory] https://github.com/liufee/cms/issues/77

Scores

CVSS v3 6.5

EPSS 0.0006

EPSS Percentile 19.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-125

Status published

Products (2)

feehi/feehicms 2.1.1

feehi/feehicms Packagist

Published Dec 01, 2025

Tracked Since Feb 18, 2026