Refine your search
6 vulnerabilities found for connect-cms by opensource-workshop
CVE-2026-32300 (GCVE-0-2026-32300)
Vulnerability from cvelistv5
Published
2026-03-23 21:40
Modified
2026-03-25 19:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the My Page profile update feature may allow modification of arbitrary user information. Versions 1.41.1 and 2.41.1 contain a patch.
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opensource-workshop | connect-cms |
Version: < 1.41.1 Version: >= 2.0.0, < 2.41.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32300",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T19:17:22.723073Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T19:17:40.942Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "connect-cms",
"vendor": "opensource-workshop",
"versions": [
{
"status": "affected",
"version": "\u003c 1.41.1"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.41.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the My Page profile update feature may allow modification of arbitrary user information. Versions 1.41.1 and 2.41.1 contain a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T21:40:59.009Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-qr6x-wvxr-8hm9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-qr6x-wvxr-8hm9"
},
{
"name": "https://github.com/opensource-workshop/connect-cms/commit/7c9951738c62a1d51b91e9956d1eb756c5d52cce",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opensource-workshop/connect-cms/commit/7c9951738c62a1d51b91e9956d1eb756c5d52cce"
},
{
"name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1"
},
{
"name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1"
}
],
"source": {
"advisory": "GHSA-qr6x-wvxr-8hm9",
"discovery": "UNKNOWN"
},
"title": "Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32300",
"datePublished": "2026-03-23T21:40:59.009Z",
"dateReserved": "2026-03-11T21:16:21.658Z",
"dateUpdated": "2026-03-25T19:17:40.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32299 (GCVE-0-2026-32299)
Vulnerability from cvelistv5
Published
2026-03-23 21:37
Modified
2026-03-24 15:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the page content retrieval feature may allow retrieval of non-public information. Versions 1.41.1 and 2.41.1 contain a patch.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opensource-workshop | connect-cms |
Version: < 1.41.1 Version: >= 2.0.0, < 2.41.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32299",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T15:48:32.482178Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T15:49:20.800Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "connect-cms",
"vendor": "opensource-workshop",
"versions": [
{
"status": "affected",
"version": "\u003c 1.41.1"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.41.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the page content retrieval feature may allow retrieval of non-public information. Versions 1.41.1 and 2.41.1 contain a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T21:37:49.083Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-62ch-j6x7-722j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-62ch-j6x7-722j"
},
{
"name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1"
},
{
"name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1"
}
],
"source": {
"advisory": "GHSA-62ch-j6x7-722j",
"discovery": "UNKNOWN"
},
"title": "Connect CMS: Information Disclosure Due to Improper Authorization through the Page Content Retrieval Feature"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32299",
"datePublished": "2026-03-23T21:37:49.083Z",
"dateReserved": "2026-03-11T21:16:21.658Z",
"dateUpdated": "2026-03-24T15:49:20.800Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32279 (GCVE-0-2026-32279)
Vulnerability from cvelistv5
Published
2026-03-23 21:36
Modified
2026-03-24 13:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Server-Side Request Forgery (SSRF) issue exists in the external page migration feature of the Page Management Plugin. Versions 1.41.1 and 2.41.1 contain a patch.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opensource-workshop | connect-cms |
Version: < 1.41.1 Version: >= 2.0.0, < 2.41.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32279",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T13:39:02.866404Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T13:40:01.660Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "connect-cms",
"vendor": "opensource-workshop",
"versions": [
{
"status": "affected",
"version": "\u003c 1.41.1"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.41.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Server-Side Request Forgery (SSRF) issue exists in the external page migration feature of the Page Management Plugin. Versions 1.41.1 and 2.41.1 contain a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T21:36:22.473Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-jh46-85jr-6ph9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-jh46-85jr-6ph9"
},
{
"name": "https://github.com/opensource-workshop/connect-cms/commit/4a1a64a8f768a53e06a4239e25782d9e2e88fc63",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opensource-workshop/connect-cms/commit/4a1a64a8f768a53e06a4239e25782d9e2e88fc63"
},
{
"name": "https://github.com/opensource-workshop/connect-cms/commit/617a874e14b8476da7c0760a06384b9da21bdd4f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opensource-workshop/connect-cms/commit/617a874e14b8476da7c0760a06384b9da21bdd4f"
},
{
"name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1"
},
{
"name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1"
}
],
"source": {
"advisory": "GHSA-jh46-85jr-6ph9",
"discovery": "UNKNOWN"
},
"title": "Connect CMS has SSRF in the External Page Migration Feature of its Page Management Plugin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32279",
"datePublished": "2026-03-23T21:36:22.473Z",
"dateReserved": "2026-03-11T15:05:48.401Z",
"dateUpdated": "2026-03-24T13:40:01.660Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32278 (GCVE-0-2026-32278)
Vulnerability from cvelistv5
Published
2026-03-23 21:28
Modified
2026-03-24 18:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Stored Cross-site Scripting (XSS) issue exists in the file field of the Form Plugin. Versions 1.41.1 and 2.41.1 contain a patch.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opensource-workshop | connect-cms |
Version: < 1.41.1 Version: >= 2.0.0, < 2.41.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32278",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T18:41:34.688936Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T18:41:41.556Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "connect-cms",
"vendor": "opensource-workshop",
"versions": [
{
"status": "affected",
"version": "\u003c 1.41.1"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.41.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Stored Cross-site Scripting (XSS) issue exists in the file field of the Form Plugin. Versions 1.41.1 and 2.41.1 contain a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T21:28:31.587Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-mv3p-7p89-wq9p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-mv3p-7p89-wq9p"
},
{
"name": "https://github.com/opensource-workshop/connect-cms/commit/9d87fe8ecf7f57efbb0e5231be058807734c96b3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opensource-workshop/connect-cms/commit/9d87fe8ecf7f57efbb0e5231be058807734c96b3"
},
{
"name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1"
},
{
"name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1"
}
],
"source": {
"advisory": "GHSA-mv3p-7p89-wq9p",
"discovery": "UNKNOWN"
},
"title": "Connect CMS has Stored Cross-site Scripting (XSS) in the File Field of its Form Plugin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32278",
"datePublished": "2026-03-23T21:28:31.587Z",
"dateReserved": "2026-03-11T15:05:48.401Z",
"dateUpdated": "2026-03-24T18:41:41.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32277 (GCVE-0-2026-32277)
Vulnerability from cvelistv5
Published
2026-03-23 21:22
Modified
2026-03-24 14:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Connect-CMS is a content management system. In versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, a DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view. Versions 1.41.1 and 2.41.1 contain a patch.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opensource-workshop | connect-cms |
Version: >= 1.35.0, < 1.41.1 Version: >= 2.35.0, < 2.41.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32277",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T14:00:59.043597Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T14:01:09.422Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "connect-cms",
"vendor": "opensource-workshop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.35.0, \u003c 1.41.1"
},
{
"status": "affected",
"version": "\u003e= 2.35.0, \u003c 2.41.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Connect-CMS is a content management system. In versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, a DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view. Versions 1.41.1 and 2.41.1 contain a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T21:22:08.425Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-cmfh-mpmf-fmq4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-cmfh-mpmf-fmq4"
},
{
"name": "https://github.com/opensource-workshop/connect-cms/commit/c04dc40f814eff891915752ef1ec00ba6612441c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opensource-workshop/connect-cms/commit/c04dc40f814eff891915752ef1ec00ba6612441c"
},
{
"name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1"
},
{
"name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1"
}
],
"source": {
"advisory": "GHSA-cmfh-mpmf-fmq4",
"discovery": "UNKNOWN"
},
"title": "Connect-CMS has DOM-based Cross-Site Scripting (XSS) in the Cabinet Plugin List View"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32277",
"datePublished": "2026-03-23T21:22:08.425Z",
"dateReserved": "2026-03-11T15:05:48.400Z",
"dateUpdated": "2026-03-24T14:01:09.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32276 (GCVE-0-2026-32276)
Vulnerability from cvelistv5
Published
2026-03-23 21:06
Modified
2026-03-24 15:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an authenticated user may be able to execute arbitrary code in the Code Study Plugin. Versions 1.41.1 and 2.41.1 contain a patch.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opensource-workshop | connect-cms |
Version: < 1.41.1 Version: >= 2.0.0, < 2.41.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32276",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T14:30:13.883620Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T15:13:12.123Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "connect-cms",
"vendor": "opensource-workshop",
"versions": [
{
"status": "affected",
"version": "\u003c 1.41.1"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.41.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an authenticated user may be able to execute arbitrary code in the Code Study Plugin. Versions 1.41.1 and 2.41.1 contain a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T21:21:25.766Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-hxqw-6qv7-cqfv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-hxqw-6qv7-cqfv"
},
{
"name": "https://github.com/opensource-workshop/connect-cms/commit/c0bcd07fc1e9375941aa1295d044328ecd44ed85",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opensource-workshop/connect-cms/commit/c0bcd07fc1e9375941aa1295d044328ecd44ed85"
},
{
"name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1"
},
{
"name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1"
}
],
"source": {
"advisory": "GHSA-hxqw-6qv7-cqfv",
"discovery": "UNKNOWN"
},
"title": "Connect-CMS has Arbitrary Code Execution by an Authenticated User in its Code Study Plugin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32276",
"datePublished": "2026-03-23T21:06:32.607Z",
"dateReserved": "2026-03-11T15:05:48.400Z",
"dateUpdated": "2026-03-24T15:13:12.123Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}