Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Security Advisory - Cabinet Plugin (DOM-based XSS)
Summary
A DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view.
Affected Versions
- 1.x series: >= 1.35.0, <= 1.41.0
- 2.x series: >= 2.35.0, <= 2.41.0
Patched Versions
- 1.41.1
- 2.41.1
Description
In the Cabinet Plugin list view, DOM-based Cross-Site Scripting (XSS) could occur due to how saved names were rendered. If exploited, arbitrary script could run in the victim's browser, which may lead to unauthorized actions or information theft. Exploitation requires that the attacker be able to reach the affected functionality as an authenticated user. Users affected by this vulnerability should update to a fixed version.
Solution
Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later.
Credits
OpenSource WorkShop thanks Sho Odagiri (小田切 祥) of GMO Cybersecurity by Ierae, Inc. for reporting this vulnerability.
AnalysisAI
A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the Cabinet Plugin list view of Connect CMS, affecting versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0. An authenticated attacker can execute arbitrary JavaScript in victim browsers by manipulating how saved names are rendered, potentially leading to session hijacking, credential theft, or unauthorized actions. The vulnerability carries a CVSS score of 8.7 (High) and patches are available, with no evidence of active exploitation or public proof-of-concept at this time.
Technical ContextAI
This vulnerability affects Connect CMS (pkg:composer/opensource-workshop_connect-cms), an open-source content management system. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a DOM-based XSS variant where client-side JavaScript code improperly processes user-controlled data (saved names in the Cabinet Plugin list view) without adequate sanitization. Unlike reflected or stored XSS, DOM-based XSS occurs entirely within the browser's Document Object Model when scripts dynamically update page content using attacker-controlled input, making it harder to detect through traditional server-side security controls.
RemediationAI
Organizations running Connect CMS should immediately upgrade to version 1.41.1 or later for the 1.x series, or version 2.41.1 or later for the 2.x series, as documented in the GitHub releases at https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1 and https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1. The patch commit is available at https://github.com/opensource-workshop/connect-cms/commit/c04dc40f814eff891915752ef1ec00ba6612441c. Until patching is completed, temporary mitigations include restricting access to the Cabinet Plugin list view functionality to only trusted administrative users, implementing Content Security Policy (CSP) headers to limit script execution, and monitoring for suspicious saved name entries that contain JavaScript code fragments or encoded payloads.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14568
GHSA-cmfh-mpmf-fmq4