EUVD-2026-14568
GHSA-cmfh-mpmf-fmq4
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
4Tags
Description
# Security Advisory - Cabinet Plugin (DOM-based XSS) ## Summary A DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view. ## Affected Versions - 1.x series: >= 1.35.0, <= 1.41.0 - 2.x series: >= 2.35.0, <= 2.41.0 ## Patched Versions - 1.41.1 - 2.41.1 ## Description In the Cabinet Plugin list view, DOM-based Cross-Site Scripting (XSS) could occur due to how saved names were rendered. If exploited, arbitrary script could run in the victim's browser, which may lead to unauthorized actions or information theft. Exploitation requires that the attacker be able to reach the affected functionality as an authenticated user. Users affected by this vulnerability should update to a fixed version. ## Solution Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later. ## Credits OpenSource WorkShop thanks **Sho Odagiri** (小田切 祥) of **GMO Cybersecurity by Ierae, Inc.** for reporting this vulnerability.
Analysis
A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the Cabinet Plugin list view of Connect CMS, affecting versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0. An authenticated attacker can execute arbitrary JavaScript in victim browsers by manipulating how saved names are rendered, potentially leading to session hijacking, credential theft, or unauthorized actions. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Connect CMS instances and confirm affected versions; restrict Cabinet Plugin access to essential personnel only. Within 7 days: Apply available vendor patches to all production and non-production environments; test patches in staging first. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today