CVE-2026-32277

Published: Mar 23, 2026Modified: Mar 24, 2026

8.7

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Exploitability: 2.3 / Impact: 5.8

Source: security-advisories@github.com (Secondary)

Description

Connect-CMS is a content management system. In versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, a DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view. Versions 1.41.1 and 2.41.1 contain a patch.

Affected (2)

Products: Opensource Workshop: Connect Cms

Opensource Workshop

1 product

Connect Cms

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Opensource Workshop Connect Cms	From 1.35.0 to 1.41.1
Opensource Workshop Connect Cms	From 2.35.0 to 2.41.1

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://github.com/opensource-workshop/connect-cms/commit/c04dc40f814eff891915752ef1ec00ba6612441c

Source: security-advisories@github.com

Patch

https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1

Source: security-advisories@github.com

Release Notes

https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1

Source: security-advisories@github.com

Release Notes

https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-cmfh-mpmf-fmq4

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.