| Title | liufee cms 2.1.1 Any Article Delete |
|---|
| Description | A vulnerability was found in Feehi CMS 2.1.1. It has been classified as critical. Affected are multiple REST API endpoints (GET, POST, PUT, DELETE) of the /api/articles and /api/articles/{id} routes handled by api/controllers/ArticleController.php. The vulnerability is caused by a missing authentication mechanism ArticleController does not override the behaviors() method, resulting in no authenticator or access control filter being applied to any CRUD action. An unauthenticated remote attacker can retrieve all articles including unpublished drafts which may contain sensitive internal content, create new articles, modify existing ones, and permanently delete any article by simply sending the corresponding HTTP request without any token or credentials. This vulnerability requires zero authentication and exposes full read and write access to all article resources. |
|---|
| Source | ⚠️ https://github.com/liufee/cms/issues/87 |
|---|
| User | byname (UID 98259) |
|---|
| Submission | 05/29/2026 10:16 (1 month ago) |
|---|
| Moderation | 06/28/2026 12:58 (1 month later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 374554 [Feehi CMS up to 2.1.1 REST API Endpoint /api/articles missing authentication] |
|---|
| Points | 20 |
|---|