Skip to main content

CVE-2026-32277

| EUVDEUVD-2026-14568 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-23 https://github.com/opensource-workshop/connect-cms GHSA-cmfh-mpmf-fmq4
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 23, 2026 - 20:45 euvd
EUVD-2026-14568
Analysis Generated
Mar 23, 2026 - 20:45 vuln.today
Patch released
Mar 23, 2026 - 20:45 nvd
Patch available
CVE Published
Mar 23, 2026 - 20:35 nvd
HIGH 8.7

DescriptionGitHub Advisory

Security Advisory - Cabinet Plugin (DOM-based XSS)

Summary

A DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view.

Affected Versions

  • 1.x series: >= 1.35.0, <= 1.41.0
  • 2.x series: >= 2.35.0, <= 2.41.0

Patched Versions

  • 1.41.1
  • 2.41.1

Description

In the Cabinet Plugin list view, DOM-based Cross-Site Scripting (XSS) could occur due to how saved names were rendered. If exploited, arbitrary script could run in the victim's browser, which may lead to unauthorized actions or information theft. Exploitation requires that the attacker be able to reach the affected functionality as an authenticated user. Users affected by this vulnerability should update to a fixed version.

Solution

Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later.

Credits

OpenSource WorkShop thanks Sho Odagiri (小田切 祥) of GMO Cybersecurity by Ierae, Inc. for reporting this vulnerability.

AnalysisAI

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the Cabinet Plugin list view of Connect CMS, affecting versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0. An authenticated attacker can execute arbitrary JavaScript in victim browsers by manipulating how saved names are rendered, potentially leading to session hijacking, credential theft, or unauthorized actions. The vulnerability carries a CVSS score of 8.7 (High) and patches are available, with no evidence of active exploitation or public proof-of-concept at this time.

Technical ContextAI

This vulnerability affects Connect CMS (pkg:composer/opensource-workshop_connect-cms), an open-source content management system. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a DOM-based XSS variant where client-side JavaScript code improperly processes user-controlled data (saved names in the Cabinet Plugin list view) without adequate sanitization. Unlike reflected or stored XSS, DOM-based XSS occurs entirely within the browser's Document Object Model when scripts dynamically update page content using attacker-controlled input, making it harder to detect through traditional server-side security controls.

RemediationAI

Organizations running Connect CMS should immediately upgrade to version 1.41.1 or later for the 1.x series, or version 2.41.1 or later for the 2.x series, as documented in the GitHub releases at https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1 and https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1. The patch commit is available at https://github.com/opensource-workshop/connect-cms/commit/c04dc40f814eff891915752ef1ec00ba6612441c. Until patching is completed, temporary mitigations include restricting access to the Cabinet Plugin list view functionality to only trusted administrative users, implementing Content Security Policy (CSP) headers to limit script execution, and monitoring for suspicious saved name entries that contain JavaScript code fragments or encoded payloads.

Share

CVE-2026-32277 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy