Skip to main content

CVE-2026-32279

| EUVDEUVD-2026-14573 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-23 https://github.com/opensource-workshop/connect-cms
6.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 23, 2026 - 20:45 euvd
EUVD-2026-14573
Analysis Generated
Mar 23, 2026 - 20:45 vuln.today
Patch released
Mar 23, 2026 - 20:45 nvd
Patch available
CVE Published
Mar 23, 2026 - 20:36 nvd
MEDIUM 6.8

DescriptionGitHub Advisory

Security Advisory - Page Management Plugin (SSRF)

Summary

A Server-Side Request Forgery (SSRF) issue exists in the external page migration feature of the Page Management Plugin.

Affected Versions

  • 1.x series: <= 1.41.0
  • 2.x series: <= 2.41.0

Patched Versions

  • 1.41.1
  • 2.41.1

Description

In the external page migration feature of the Page Management Plugin, a Server-Side Request Forgery (SSRF) issue could occur. If exploited, it may allow access to internal destinations and could result in information disclosure. Exploitation requires privileges that allow use of the page management screen. Users affected by this vulnerability should update to a fixed version.

Solution

Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later.

Credits

OpenSource WorkShop thanks Sho Odagiri (小田切 祥) of GMO Cybersecurity by Ierae, Inc. for reporting this vulnerability.

AnalysisAI

A Server-Side Request Forgery (SSRF) vulnerability exists in the external page migration feature of the Page Management Plugin (Connect CMS), allowing authenticated attackers with page management screen access to make the server perform requests to internal destinations and disclose sensitive information. The vulnerability affects Connect CMS versions 1.x through 1.41.0 and 2.x through 2.41.0, with patches available in versions 1.41.1 and 2.41.1 respectively. With a CVSS score of 6.8 and moderate attack complexity requiring high privileges, this represents a real but bounded risk primarily to organizations running older plugin versions with administrative users who may be compromised or malicious.

Technical ContextAI

The vulnerability is classified as CWE-918 (Server-Side Request Forgery) and occurs in the external page migration functionality of Connect CMS, a Composer-based PHP package (pkg:composer/opensource-workshop/connect-cms). SSRF vulnerabilities arise when application code constructs HTTP requests based on user-controlled input without proper validation or allowlisting of target destinations. In this case, the page migration feature likely accepts URLs or destinations from authenticated users and fetches remote pages without validating whether those URLs point to internal resources (private IP ranges, localhost, internal service endpoints, or cloud metadata services). The lack of URL scheme validation, destination filtering, or network segmentation allows attackers to probe internal infrastructure, access metadata services, or retrieve sensitive configuration data from internal endpoints.

RemediationAI

Immediately upgrade Connect CMS to version 1.41.1 or later for 1.x series installations, or to version 2.41.1 or later for 2.x series installations. The patches are available from the official GitHub releases at https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1 and https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1, with commit-level details available at https://github.com/opensource-workshop/connect-cms/commit/4a1a64a8f768a53e06a4239e25782d9e2e88fc63 and https://github.com/opensource-workshop/connect-cms/commit/617a874e14b8476da7c0760a06384b9da21bdd4f. For organizations unable to patch immediately, implement network-level mitigations by restricting outbound connections from the application server using firewall rules that block access to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1, and link-local addresses), and disable access to cloud metadata endpoints (169.254.169.254 for AWS/GCP/Azure). Additionally, audit and restrict the set of users with page management screen permissions to reduce the pool of potential attackers, and monitor outbound network connections from the application server for suspicious internal requests.

Share

CVE-2026-32279 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy