Skip to main content

CVE-2026-32278

| EUVDEUVD-2026-14570 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-03-23 https://github.com/opensource-workshop/connect-cms GHSA-mv3p-7p89-wq9p
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

4
EUVD ID Assigned
Mar 23, 2026 - 20:45 euvd
EUVD-2026-14570
Analysis Generated
Mar 23, 2026 - 20:45 vuln.today
Patch released
Mar 23, 2026 - 20:45 nvd
Patch available
CVE Published
Mar 23, 2026 - 20:36 nvd
HIGH 8.2

DescriptionGitHub Advisory

Security Advisory - Form Plugin (Stored XSS)

Summary

A Stored Cross-site Scripting (XSS) issue exists in the file field of the Form Plugin.

Affected Versions

  • 1.x series: <= 1.41.0
  • 2.x series: <= 2.41.0

Patched Versions

  • 1.41.1
  • 2.41.1

Description

In the file field of the Form Plugin, Stored Cross-site Scripting (XSS) could occur. If exploited, arbitrary script could run in an administrator's browser, which may lead to unauthorized actions or information theft. Users affected by this vulnerability should update to a fixed version.

Solution

Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later.

Credits

OpenSource WorkShop thanks Sho Odagiri (小田切 祥) of GMO Cybersecurity by Ierae, Inc. for reporting this vulnerability.

AnalysisAI

A Stored Cross-Site Scripting (XSS) vulnerability exists in the file field component of the Form Plugin within Connect-CMS. The vulnerability affects Connect-CMS versions 1.41.0 and earlier in the 1.x series, and versions 2.41.0 and earlier in the 2.x series. If exploited, an attacker can inject malicious scripts that execute in an administrator's browser, potentially leading to session hijacking, credential theft, or unauthorized administrative actions. The vulnerability has been patched and a fix is available from the vendor.

Technical ContextAI

The vulnerability affects the opensource-workshop/connect-cms Composer package, specifically within the Form Plugin's file field functionality. According to the CPE strings (pkg:composer/opensource-workshop_connect-cms), this is a PHP-based content management system distributed via Composer. The root cause is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type), indicating that the file field does not properly sanitize or validate uploaded files or associated metadata, allowing an attacker to inject and store malicious JavaScript code. This stored XSS persists in the application database and executes whenever an administrator views the compromised form data. The vulnerability was identified and reported by Sho Odagiri of GMO Cybersecurity by Ierae, Inc.

RemediationAI

Organizations using Connect-CMS should immediately upgrade to version 1.41.1 or later for the 1.x series, or version 2.41.1 or later for the 2.x series. The patch commit addressing this vulnerability is available at https://github.com/opensource-workshop/connect-cms/commit/9d87fe8ecf7f57efbb0e5231be058807734c96b3 for review. Release packages can be obtained from https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1 and https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1. As a temporary mitigation until patching is possible, consider implementing Content Security Policy (CSP) headers to restrict script execution, limiting access to form administration interfaces to trusted IP ranges, and increasing monitoring for suspicious file uploads or unusual administrator activity. Refer to the complete vendor advisory at https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-mv3p-7p89-wq9p for additional guidance.

Share

CVE-2026-32278 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy