CVE-2026-32278 HIGH

CVE-2026-32278: Connect CMS has Stored Cross-site Scripting (XSS) in the File Field of its Form Plugin

Vendor Opensource-Workshop
Product connect-cms
Weakness CWE-434 · Unrestricted file upload
Published March 23, 2026
Last update March 24, 2026

CVSS base score

8.2/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L

What the vulnerability does

01Description

Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Stored Cross-site Scripting (XSS) issue exists in the file field of the Form Plugin. Versions 1.41.1 and 2.41.1 contain a patch.

Key dates

02Disclosure timeline

March 23, 2026 CVE published
March 24, 2026 Record updated