CVE-2026-32276
HIGH8.8EPSS 0.10%Connect-CMS has Arbitrary Code Execution by an Authenticated User in its Code Study Plugin
Description
# Security Advisory — Code Study Plugin ## Summary An authenticated user may be able to execute arbitrary code in the Code Study Plugin. ## Affected Versions - 1.x series: <= 1.41.0 - 2.x series: <= 2.41.0 ## Patched Versions - 1.41.1 - 2.41.1 ## Description In the Code Study Plugin, an authenticated user could trigger unintended code execution. If exploited, it may lead to code execution on the server or information disclosure. Users affected by this vulnerability should update to a fixed version. ## Solution Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later. ## Credits OpenSource WorkShop thanks **Sho Odagiri** (小田切 祥) of **GMO Cybersecurity by Ierae, Inc.** for reporting this vulnerability.
Affected packages (1)
- Packagist/opensource-workshop/connect-cmsfrom 0, < 1.41.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-32276
- PATCHhttps://github.com/opensource-workshop/connect-cms
- WEBhttps://github.com/opensource-workshop/connect-cms/commit/c0bcd07fc1e9375941aa1295d044328ecd44ed85
- WEBhttps://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1
- WEBhttps://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1
- WEBhttps://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-hxqw-6qv7-cqfv