Cyber Resilience

CVE-2026-32276

HighRCE

Published: 23 March 2026

Published
23 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0046 36.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32276 is a high-severity Code Injection (CWE-94) vulnerability in Opensource-Workshop Connect-Cms. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Connect-CMS, an open-source content management system, is affected by CVE-2026-32276, a code injection vulnerability (CWE-94) in its Code Study Plugin. The flaw impacts versions in the 1.x series up to and including 1.41.0 and the 2.x series up to and including 2.41.0. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to potential for complete system compromise.

An authenticated user with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows arbitrary code execution on the server, granting high confidentiality, integrity, and availability impacts, such as full control over the affected Connect-CMS instance.

Mitigation is available via patched versions 1.41.1 and 2.41.1, as detailed in the project's GitHub security advisory (GHSA-hxqw-6qv7-cqfv) and release notes. The fixing commit (c0bcd07fc1e9375941aa1295d044328ecd44ed85) addresses the issue in the Code Study Plugin, and administrators should upgrade immediately to eliminate the risk.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an authenticated user may be able to execute arbitrary code in the…

more

Code Study Plugin. Versions 1.41.1 and 2.41.1 contain a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Remote authenticated code injection (CWE-94) in public-facing CMS plugin directly enables T1190 for initial server access, T1059 for arbitrary code/command execution, and T1068 for low-to-high privilege escalation resulting in full system compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32300Same product: Opensource-Workshop Connect-Cms
CVE-2026-32299Same product: Opensource-Workshop Connect-Cms
CVE-2026-32278Same product: Opensource-Workshop Connect-Cms
CVE-2026-32277Same product: Opensource-Workshop Connect-Cms
CVE-2025-41699Shared CWE-94
CVE-2026-25227Shared CWE-94
CVE-2026-26045Shared CWE-94
CVE-2025-33239Shared CWE-94
CVE-2024-11600Shared CWE-94
CVE-2025-67979Shared CWE-94

Affected Assets

opensource-workshop
connect-cms
1.0.0 — 1.41.1 · 2.0.0 — 2.41.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of software flaws like this code injection vulnerability through patching to versions 1.41.1 or 2.41.1.

prevent

Mandates validation of untrusted inputs to the Code Study Plugin to block code injection exploits (CWE-94) by authenticated users.

detect

Enables vulnerability scanning to identify the presence of CVE-2026-32276 in deployed Connect-CMS instances for prioritized remediation.

References