{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32279", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T15:05:48.401Z", "datePublished": "2026-03-23T21:36:22.473Z", "dateUpdated": "2026-03-24T13:40:01.660Z"}, "containers": {"cna": {"title": "Connect CMS has SSRF in the External Page Migration Feature of its Page Management Plugin", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-jh46-85jr-6ph9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-jh46-85jr-6ph9"}, {"name": "https://github.com/opensource-workshop/connect-cms/commit/4a1a64a8f768a53e06a4239e25782d9e2e88fc63", "tags": ["x_refsource_MISC"], "url": "https://github.com/opensource-workshop/connect-cms/commit/4a1a64a8f768a53e06a4239e25782d9e2e88fc63"}, {"name": "https://github.com/opensource-workshop/connect-cms/commit/617a874e14b8476da7c0760a06384b9da21bdd4f", "tags": ["x_refsource_MISC"], "url": "https://github.com/opensource-workshop/connect-cms/commit/617a874e14b8476da7c0760a06384b9da21bdd4f"}, {"name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1"}, {"name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1"}], "affected": [{"vendor": "opensource-workshop", "product": "connect-cms", "versions": [{"version": "< 1.41.1", "status": "affected"}, {"version": ">= 2.0.0, < 2.41.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T21:36:22.473Z"}, "descriptions": [{"lang": "en", "value": "Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Server-Side Request Forgery (SSRF) issue exists in the external page migration feature of the Page Management Plugin. Versions 1.41.1 and 2.41.1 contain a patch."}], "source": {"advisory": "GHSA-jh46-85jr-6ph9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T13:39:02.866404Z", "id": "CVE-2026-32279", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:40:01.660Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32279", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T13:39:02.866404Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:39:53.756Z"}}], "cna": {"title": "Connect CMS has SSRF in the External Page Migration Feature of its Page Management Plugin", "source": {"advisory": "GHSA-jh46-85jr-6ph9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "opensource-workshop", "product": "connect-cms", "versions": [{"status": "affected", "version": "< 1.41.1"}, {"status": "affected", "version": ">= 2.0.0, < 2.41.1"}]}], "references": [{"url": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-jh46-85jr-6ph9", "name": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-jh46-85jr-6ph9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/opensource-workshop/connect-cms/commit/4a1a64a8f768a53e06a4239e25782d9e2e88fc63", "name": "https://github.com/opensource-workshop/connect-cms/commit/4a1a64a8f768a53e06a4239e25782d9e2e88fc63", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/opensource-workshop/connect-cms/commit/617a874e14b8476da7c0760a06384b9da21bdd4f", "name": "https://github.com/opensource-workshop/connect-cms/commit/617a874e14b8476da7c0760a06384b9da21bdd4f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1", "name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1", "name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Server-Side Request Forgery (SSRF) issue exists in the external page migration feature of the Page Management Plugin. Versions 1.41.1 and 2.41.1 contain a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T21:36:22.473Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32279", "state": "PUBLISHED", "dateUpdated": "2026-03-24T13:40:01.660Z", "dateReserved": "2026-03-11T15:05:48.401Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T21:36:22.473Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensource-workshop:connect-cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "60B8BBDF-82BD-486D-AE17-7F59360E62C3", "versionEndExcluding": "1.41.1", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensource-workshop:connect-cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "0C11B4F0-DF29-473A-A285-9DA152DDCDE1", "versionEndExcluding": "2.41.1", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Server-Side Request Forgery (SSRF) issue exists in the external page migration feature of the Page Management Plugin. Versions 1.41.1 and 2.41.1 contain a patch."}, {"lang": "es", "value": "Connect-CMS es un sistema de gesti\u00f3n de contenidos. En las versiones de la serie 1.x hasta la 1.41.0 inclusive y las versiones de la serie 2.x hasta la 2.41.0 inclusive, existe un problema de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en la funci\u00f3n de migraci\u00f3n de p\u00e1ginas externas del plugin de Gesti\u00f3n de P\u00e1ginas. Las versiones 1.41.1 y 2.41.1 contienen un parche."}], "id": "CVE-2026-32279", "lastModified": "2026-03-24T20:28:36.733", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-23T22:16:27.617", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/opensource-workshop/connect-cms/commit/4a1a64a8f768a53e06a4239e25782d9e2e88fc63"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/opensource-workshop/connect-cms/commit/617a874e14b8476da7c0760a06384b9da21bdd4f"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-jh46-85jr-6ph9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.41.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.41.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "connect-cms", "source": "cna", "vendor": "opensource-workshop"}, "product": "connect-cms", "vendor": "opensource-workshop"}], "analysis": {"en": {"generated_at": "2026-03-24T22:10:59.809710+00:00", "value": {"mitigation_remediation": ["Update Connect\u2011CMS to version 1.41.1 or 2.41.1 where the SSRF is fixed.", "If an upgrade cannot yet be performed, disable the External Page Migration feature within the Page Management Plugin to block the attack pathway.", "Monitor server logs for unexpected outbound requests originating from Connect\u2011CMS as an early indicator of exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Server\u2011side request forgery allowing the CMS to make arbitrary outbound requests"}, "threat_synthesis": {"affected_systems": "Versions of Connect\u2011CMS from the 1.x series up to 1.41.0 and the 2.x series up to 2.41.0 are affected. Versions 1.41.1 and 2.41.1 contain a patch that eliminates the SSRF condition. The affected product is identified as opensource\u2011workshop Connect\u2011CMS.", "description_and_impact": "Connect\u2011CMS includes a server\u2011side request forgery vulnerability in the External Page Migration feature of the Page Management Plugin. The likely attack vector is that an attacker supplies a crafted migration URL, causing the CMS server to initiate HTTP requests to arbitrary internal or external addresses. Based on the description, it is inferred that such requests could expose confidential resources, bypass network segmentation, or serve as a foothold for further attacks against the host system or underlying network. The weakness is classified as CWE\u2011918.", "risk_and_exploitability": "The CVSS score of 6.8 indicates a medium severity impact, while the EPSS score of less than 1% suggests a low likelihood of active exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to invoke the external page migration function\u2014which may be reachable by authenticated users with plugin access or potentially by unauthenticated users if the feature is exposed. This inference comes directly from the described symptom that the flaw exists in the page migration feature. Although the statistical likelihood is currently low, the potential to reach internal services or sensitive data makes prompt remediation advisable."}}}}, "created": "2026-03-24T10:30:13.189173+00:00", "updated": "2026-03-25T20:36:21.471408+00:00", "vendors": ["opensource-workshop", "opensource-workshop$PRODUCT$connect-cms"]}