CVE-2026-13546 Feehi CVE debrief

Who should care

Organizations using Feehi CMS version 2.1.1 or earlier should prioritize patching this vulnerability. The vulnerability's remote exploitability and public exploit availability increase the urgency for defenders to take action. Security teams responsible for CMS platforms should assess their exposure and implement compensating controls if patches cannot be applied immediately.

Technical summary

The vulnerability affects the /api/articles endpoint of the REST API in Feehi CMS version 2.1.1 and earlier. It allows for missing authentication, potentially enabling unauthorized access to article data or manipulation. The vulnerability is tracked under CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication). The CVSS:4.0 vector is AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

Apply patches as soon as available. Implement compensating controls such as IP restrictions or API key authentication for the REST API endpoint until patches can be applied.

Recommended defensive actions

• Apply patches as soon as available.
• Implement compensating controls such as IP restrictions or API key authentication for the REST API endpoint until patches can be applied.
• Monitor API usage for suspicious activity.
• Perform a thorough inventory of Feehi CMS instances within the organization.
• Update incident response plans to include this vulnerability.

Evidence notes

The CVE was published on June 29, 2026, with a CVSS score of 5.5. The vulnerability affects Feehi CMS version 2.1.1 and earlier. The exploit has been made public, and the project has been informed but has not responded. The CVE is based on information from Vuldb and NVD.

Official resources