{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32278", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T15:05:48.401Z", "datePublished": "2026-03-23T21:28:31.587Z", "dateUpdated": "2026-03-24T18:41:41.556Z"}, "containers": {"cna": {"title": "Connect CMS has Stored Cross-site Scripting (XSS) in the File Field of its Form Plugin", "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-mv3p-7p89-wq9p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-mv3p-7p89-wq9p"}, {"name": "https://github.com/opensource-workshop/connect-cms/commit/9d87fe8ecf7f57efbb0e5231be058807734c96b3", "tags": ["x_refsource_MISC"], "url": "https://github.com/opensource-workshop/connect-cms/commit/9d87fe8ecf7f57efbb0e5231be058807734c96b3"}, {"name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1"}, {"name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1"}], "affected": [{"vendor": "opensource-workshop", "product": "connect-cms", "versions": [{"version": "< 1.41.1", "status": "affected"}, {"version": ">= 2.0.0, < 2.41.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T21:28:31.587Z"}, "descriptions": [{"lang": "en", "value": "Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Stored Cross-site Scripting (XSS) issue exists in the file field of the Form Plugin. Versions 1.41.1 and 2.41.1 contain a patch."}], "source": {"advisory": "GHSA-mv3p-7p89-wq9p", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T18:41:34.688936Z", "id": "CVE-2026-32278", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:41:41.556Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32278", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T18:41:34.688936Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:41:38.373Z"}}], "cna": {"title": "Connect CMS has Stored Cross-site Scripting (XSS) in the File Field of its Form Plugin", "source": {"advisory": "GHSA-mv3p-7p89-wq9p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "opensource-workshop", "product": "connect-cms", "versions": [{"status": "affected", "version": "< 1.41.1"}, {"status": "affected", "version": ">= 2.0.0, < 2.41.1"}]}], "references": [{"url": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-mv3p-7p89-wq9p", "name": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-mv3p-7p89-wq9p", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/opensource-workshop/connect-cms/commit/9d87fe8ecf7f57efbb0e5231be058807734c96b3", "name": "https://github.com/opensource-workshop/connect-cms/commit/9d87fe8ecf7f57efbb0e5231be058807734c96b3", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1", "name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1", "name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Stored Cross-site Scripting (XSS) issue exists in the file field of the Form Plugin. Versions 1.41.1 and 2.41.1 contain a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T21:28:31.587Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32278", "state": "PUBLISHED", "dateUpdated": "2026-03-24T18:41:41.556Z", "dateReserved": "2026-03-11T15:05:48.401Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T21:28:31.587Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensource-workshop:connect-cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "60B8BBDF-82BD-486D-AE17-7F59360E62C3", "versionEndExcluding": "1.41.1", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensource-workshop:connect-cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "0C11B4F0-DF29-473A-A285-9DA152DDCDE1", "versionEndExcluding": "2.41.1", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Stored Cross-site Scripting (XSS) issue exists in the file field of the Form Plugin. Versions 1.41.1 and 2.41.1 contain a patch."}, {"lang": "es", "value": "Connect-CMS es un sistema de gesti\u00f3n de contenido. En las versiones de la serie 1.x hasta la 1.41.0 inclusive y en las versiones de la serie 2.x hasta la 2.41.0 inclusive, existe un problema de cross-site scripting (XSS) almacenado en el campo de archivo del Plugin de Formulario. Las versiones 1.41.1 y 2.41.1 contienen un parche."}], "id": "CVE-2026-32278", "lastModified": "2026-03-24T20:27:19.903", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-23T22:16:27.443", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/opensource-workshop/connect-cms/commit/9d87fe8ecf7f57efbb0e5231be058807734c96b3"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-mv3p-7p89-wq9p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.41.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.41.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "connect-cms", "source": "cna", "vendor": "opensource-workshop"}, "product": "connect-cms", "vendor": "opensource-workshop"}], "analysis": {"en": {"generated_at": "2026-03-24T21:49:52.244823+00:00", "value": {"mitigation_remediation": ["Upgrade Connect CMS to version 1.41.1 or 2.41.1 to apply the official patch.", "If an immediate upgrade is not possible, disable the file upload feature in the Form Plugin or restrict it to administrators only.", "Manually review existing files for injected scripts and cleanse the data before rendering.", "Verify that the file upload accepts only the intended MIME types and that output is properly escaped to prevent XSS."], "summary": {"action": "Patch Now", "impact": "Stored Cross-site Scripting"}, "threat_synthesis": {"affected_systems": "Connect CMS, developed by Open Source Workshop, is directly affected. All versions in the 1.x series up to and including 1.41.0 and the 2.x series up to and including 2.41.0 contain the flaw. Versions 1.41.1 and 2.41.1 contain the fix. The vulnerability is present in the Form Plugin's file field.", "description_and_impact": "Stored cross-site scripting vulnerabilities allow attackers to inject malicious scripts that persist in the system and execute in the browsers of other users who view the affected content. In this case, a manipulated file field within the Form Plugin can store user-supplied code. Attackers could then exfiltrate session data, deface the site, or perform social engineering against administrators or visitors. The weakness corresponds to CWE-79, and the input handling flaw is associated with CWE-434 (unrestricted file upload).", "risk_and_exploitability": "The CVSS score of 8.2 indicates a high severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog. Exploitation would require a user to submit a forged file through the form plugin, after which the malicious script would persist in the database and execute whenever any user processes that file. Because the stored payload is delivered via normal web pages, the attack vector is remote and relies on web access to the CMS."}}}}, "created": "2026-03-24T10:32:37.508525+00:00", "updated": "2026-03-25T20:36:25.390236+00:00", "vendors": ["opensource-workshop", "opensource-workshop$PRODUCT$connect-cms"]}