Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Security Advisory - Code Study Plugin
Summary
An authenticated user may be able to execute arbitrary code in the Code Study Plugin.
Affected Versions
- 1.x series: <= 1.41.0
- 2.x series: <= 2.41.0
Patched Versions
- 1.41.1
- 2.41.1
Description
In the Code Study Plugin, an authenticated user could trigger unintended code execution. If exploited, it may lead to code execution on the server or information disclosure. Users affected by this vulnerability should update to a fixed version.
Solution
Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later.
Credits
OpenSource WorkShop thanks Sho Odagiri (小田切 祥) of GMO Cybersecurity by Ierae, Inc. for reporting this vulnerability.
AnalysisAI
An authenticated code injection vulnerability exists in the Code Study Plugin component of OpenSource Workshop Connect-CMS that allows authenticated users to execute arbitrary code on the server. Both the 1.x series (versions up to 1.41.0) and 2.x series (versions up to 2.41.0) are affected. With a CVSS score of 8.8 (High severity), this vulnerability enables remote code execution and information disclosure with low attack complexity and no user interaction required.
Technical ContextAI
This vulnerability is classified as CWE-94 (Improper Control of Generation of Code - Code Injection), affecting the Connect-CMS content management system developed by OpenSource Workshop. The affected products are identified via CPE as pkg:composer/opensource-workshop_connect-cms, indicating this is a PHP Composer package. Code injection vulnerabilities in this class occur when an application executes dynamically generated code using untrusted input without proper validation or sanitization. In the context of the Code Study Plugin, authenticated users can inject malicious code that gets executed by the server runtime, bypassing intended security controls. The vulnerability spans two major version branches (1.x and 2.x), suggesting it was inherited across a significant codebase evolution.
RemediationAI
Immediately upgrade to the patched versions: for 1.x series installations, upgrade to version 1.41.1 or later (available at https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1), and for 2.x series installations, upgrade to version 2.41.1 or later (available at https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1). The security fix is implemented in commit c0bcd07fc1e9375941aa1295d044328ecd44ed85, which can be reviewed at https://github.com/opensource-workshop/connect-cms/commit/c0bcd07fc1e9375941aa1295d044328ecd44ed85. Complete remediation guidance is available in the vendor security advisory at https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-hxqw-6qv7-cqfv. If immediate patching is not feasible, consider temporarily disabling the Code Study Plugin, restricting authenticated user permissions to only trusted administrators, and implementing additional input validation at the web application firewall level until the upgrade can be completed.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14566
GHSA-hxqw-6qv7-cqfv