Description
Connect-CMS is a content management system. In versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, a DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view. Versions 1.41.1 and 2.41.1 contain a patch.
Published: 2026-03-23
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (DOM‑based)
Action: Apply Patch
AI Analysis

Impact

Connect‑CMS suffers from a DOM‑based Cross‑Site Scripting vulnerability in the Cabinet Plugin list view, affecting versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0. The flaw allows an attacker to inject and execute malicious JavaScript when a user accesses the list view, potentially leading to session hijacking, defacement, or the injection of further malware into the authenticated user's browser session.

Affected Systems

The vulnerability impacts the OpenSource‑Workshop Connect‑CMS product. All installations running the affected editions – 1.35.0 to 1.41.0 or 2.35.0 to 2.41.0 – are susceptible. Versions 1.41.1 and 2.41.1 contain the fix.

Risk and Exploitability

The CVSS score of 8.7 categorizes this issue as high severity, and the EPSS score of less than 1% indicates a low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Attackers can likely exploit it by navigating to the cabinet plugin list view in a web browser and injecting script payloads that are reflected into the DOM; no authentication requirement was specified in the release notes, so the ease of attack is uncertain but the potential impact remains significant for any affected user. Prompt remediation is therefore recommended.

Generated by OpenCVE AI on March 24, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Connect‑CMS to version 1.41.1 or 2.41.1 to obtain the vendor patch.
  • If an update cannot be performed immediately, restrict or disable access to the cabinet plugin list view and consider implementing a strong Content Security Policy to block injected script execution.
  • Monitor web traffic for signs of XSS exploitation and review logs for abnormalities.

Generated by OpenCVE AI on March 24, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cmfh-mpmf-fmq4 Connect-CMS has DOM-based Cross-Site Scripting (XSS) in the Cabinet Plugin List View
History

Tue, 24 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:opensource-workshop:connect-cms:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Opensource-workshop
Opensource-workshop connect-cms
Vendors & Products Opensource-workshop
Opensource-workshop connect-cms

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Connect-CMS is a content management system. In versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, a DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view. Versions 1.41.1 and 2.41.1 contain a patch.
Title Connect-CMS has DOM-based Cross-Site Scripting (XSS) in the Cabinet Plugin List View
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Opensource-workshop Connect-cms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T14:01:09.422Z

Reserved: 2026-03-11T15:05:48.400Z

Link: CVE-2026-32277

cve-icon Vulnrichment

Updated: 2026-03-24T14:01:04.822Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T22:16:27.260

Modified: 2026-03-24T20:01:38.470

Link: CVE-2026-32277

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:27Z

Weaknesses