CVE-2026-32278
HIGH8.2EPSS 0.05%Connect CMS has Stored Cross-site Scripting (XSS) in the File Field of its Form Plugin
Description
# Security Advisory — Form Plugin (Stored XSS) ## Summary A Stored Cross-site Scripting (XSS) issue exists in the file field of the Form Plugin. ## Affected Versions - 1.x series: <= 1.41.0 - 2.x series: <= 2.41.0 ## Patched Versions - 1.41.1 - 2.41.1 ## Description In the file field of the Form Plugin, Stored Cross-site Scripting (XSS) could occur. If exploited, arbitrary script could run in an administrator's browser, which may lead to unauthorized actions or information theft. Users affected by this vulnerability should update to a fixed version. ## Solution Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later. ## Credits OpenSource WorkShop thanks **Sho Odagiri** (小田切 祥) of **GMO Cybersecurity by Ierae, Inc.** for reporting this vulnerability.
Affected packages (1)
- Packagist/opensource-workshop/connect-cmsfrom 0, < 1.41.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.2 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-32278
- PATCHhttps://github.com/opensource-workshop/connect-cms
- WEBhttps://github.com/opensource-workshop/connect-cms/commit/9d87fe8ecf7f57efbb0e5231be058807734c96b3
- WEBhttps://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1
- WEBhttps://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1
- WEBhttps://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-mv3p-7p89-wq9p