Skip to main content

CVE-2026-32276

| EUVDEUVD-2026-14566 HIGH
Code Injection (CWE-94)
2026-03-23 https://github.com/opensource-workshop/connect-cms GHSA-hxqw-6qv7-cqfv
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Mar 23, 2026 - 20:45 euvd
EUVD-2026-14566
Analysis Generated
Mar 23, 2026 - 20:45 vuln.today
Patch released
Mar 23, 2026 - 20:45 nvd
Patch available
CVE Published
Mar 23, 2026 - 20:33 nvd
HIGH 8.8

DescriptionGitHub Advisory

Security Advisory - Code Study Plugin

Summary

An authenticated user may be able to execute arbitrary code in the Code Study Plugin.

Affected Versions

  • 1.x series: <= 1.41.0
  • 2.x series: <= 2.41.0

Patched Versions

  • 1.41.1
  • 2.41.1

Description

In the Code Study Plugin, an authenticated user could trigger unintended code execution. If exploited, it may lead to code execution on the server or information disclosure. Users affected by this vulnerability should update to a fixed version.

Solution

Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later.

Credits

OpenSource WorkShop thanks Sho Odagiri (小田切 祥) of GMO Cybersecurity by Ierae, Inc. for reporting this vulnerability.

AnalysisAI

An authenticated code injection vulnerability exists in the Code Study Plugin component of OpenSource Workshop Connect-CMS that allows authenticated users to execute arbitrary code on the server. Both the 1.x series (versions up to 1.41.0) and 2.x series (versions up to 2.41.0) are affected. With a CVSS score of 8.8 (High severity), this vulnerability enables remote code execution and information disclosure with low attack complexity and no user interaction required.

Technical ContextAI

This vulnerability is classified as CWE-94 (Improper Control of Generation of Code - Code Injection), affecting the Connect-CMS content management system developed by OpenSource Workshop. The affected products are identified via CPE as pkg:composer/opensource-workshop_connect-cms, indicating this is a PHP Composer package. Code injection vulnerabilities in this class occur when an application executes dynamically generated code using untrusted input without proper validation or sanitization. In the context of the Code Study Plugin, authenticated users can inject malicious code that gets executed by the server runtime, bypassing intended security controls. The vulnerability spans two major version branches (1.x and 2.x), suggesting it was inherited across a significant codebase evolution.

RemediationAI

Immediately upgrade to the patched versions: for 1.x series installations, upgrade to version 1.41.1 or later (available at https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1), and for 2.x series installations, upgrade to version 2.41.1 or later (available at https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1). The security fix is implemented in commit c0bcd07fc1e9375941aa1295d044328ecd44ed85, which can be reviewed at https://github.com/opensource-workshop/connect-cms/commit/c0bcd07fc1e9375941aa1295d044328ecd44ed85. Complete remediation guidance is available in the vendor security advisory at https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-hxqw-6qv7-cqfv. If immediate patching is not feasible, consider temporarily disabling the Code Study Plugin, restricting authenticated user permissions to only trusted administrators, and implementing additional input validation at the web application firewall level until the upgrade can be completed.

Share

CVE-2026-32276 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy