CVE-2026-32278

Published: Mar 23, 2026Modified: Mar 24, 2026

4.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: NVD

Description

Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Stored Cross-site Scripting (XSS) issue exists in the file field of the Form Plugin. Versions 1.41.1 and 2.41.1 contain a patch.

Affected (2)

Products: Opensource Workshop: Connect Cms

Opensource Workshop

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Opensource Workshop Connect Cms	From 1.0.0 to 1.41.1
Opensource Workshop Connect Cms	From 2.0.0 to 2.41.1

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://github.com/opensource-workshop/connect-cms/commit/9d87fe8ecf7f57efbb0e5231be058807734c96b3

Source: security-advisories@github.com

Patch

https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1

Source: security-advisories@github.com

Release Notes

https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1

Source: security-advisories@github.com

Release Notes

https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-mv3p-7p89-wq9p

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.