Description
Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Stored Cross-site Scripting (XSS) issue exists in the file field of the Form Plugin. Versions 1.41.1 and 2.41.1 contain a patch.
Published: 2026-03-23
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-site Scripting
Action: Patch Now
AI Analysis

Impact

Stored cross-site scripting vulnerabilities allow attackers to inject malicious scripts that persist in the system and execute in the browsers of other users who view the affected content. In this case, a manipulated file field within the Form Plugin can store user-supplied code. Attackers could then exfiltrate session data, deface the site, or perform social engineering against administrators or visitors. The weakness corresponds to CWE-79, and the input handling flaw is associated with CWE-434 (unrestricted file upload).

Affected Systems

Connect CMS, developed by Open Source Workshop, is directly affected. All versions in the 1.x series up to and including 1.41.0 and the 2.x series up to and including 2.41.0 contain the flaw. Versions 1.41.1 and 2.41.1 contain the fix. The vulnerability is present in the Form Plugin's file field.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog. Exploitation would require a user to submit a forged file through the form plugin, after which the malicious script would persist in the database and execute whenever any user processes that file. Because the stored payload is delivered via normal web pages, the attack vector is remote and relies on web access to the CMS.

Generated by OpenCVE AI on March 24, 2026 at 21:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Connect CMS to version 1.41.1 or 2.41.1 to apply the official patch.
  • If an immediate upgrade is not possible, disable the file upload feature in the Form Plugin or restrict it to administrators only.
  • Manually review existing files for injected scripts and cleanse the data before rendering.
  • Verify that the file upload accepts only the intended MIME types and that output is properly escaped to prevent XSS.

Generated by OpenCVE AI on March 24, 2026 at 21:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mv3p-7p89-wq9p Connect CMS has Stored Cross-site Scripting (XSS) in the File Field of its Form Plugin
History

Tue, 24 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
CPEs cpe:2.3:a:opensource-workshop:connect-cms:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Opensource-workshop
Opensource-workshop connect-cms
Vendors & Products Opensource-workshop
Opensource-workshop connect-cms

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Stored Cross-site Scripting (XSS) issue exists in the file field of the Form Plugin. Versions 1.41.1 and 2.41.1 contain a patch.
Title Connect CMS has Stored Cross-site Scripting (XSS) in the File Field of its Form Plugin
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L'}

Subscriptions

Opensource-workshop Connect-cms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T18:41:41.556Z

Reserved: 2026-03-11T15:05:48.401Z

Link: CVE-2026-32278

cve-icon Vulnrichment

Updated: 2026-03-24T18:41:38.373Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T22:16:27.443

Modified: 2026-03-24T20:27:19.903

Link: CVE-2026-32278

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:25Z

Weaknesses