Home
Description
FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented to clients as "read-only." An authenticated attacker can intercept and modify the parameter in transit and the backend accepts the changes. This can lead to unintended username changes.
References
github.com/liufee/cms/issues/77
github.com/kiwi865/CVEs/blob/main/CVE-2025-63523.md
