CVE-2026-32276 HIGH

CVE-2026-32276: Connect-CMS has Arbitrary Code Execution by an Authenticated User in its Code Study Plugin

Vendor Opensource-Workshop
Product connect-cms
Weakness CWE-94 · Code injection
Published March 23, 2026
Last update March 24, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an authenticated user may be able to execute arbitrary code in the Code Study Plugin. Versions 1.41.1 and 2.41.1 contain a patch.

Key dates

02Disclosure timeline

March 23, 2026 CVE published
March 24, 2026 Record updated