CVE-2025-63520: FeehiCMS is vulnerable to cross-site scripting via the id parameter of the User Update function

December 1, 2025 (updated December 2, 2025)

Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.1.1 via the id parameter of the User Update function (?r=user%2Fupdate).

References

github.com/advisories/GHSA-c2vx-rx6x-m9wj
github.com/kiwi865/CVEs/blob/main/CVE-2025-63520.md
github.com/liufee/cms
github.com/liufee/cms/issues/74
nvd.nist.gov/vuln/detail/CVE-2025-63520

Code Behaviors & Features

Detect and mitigate CVE-2025-63520 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →