CVE-2026-32277
Published: 23 March 2026
Summary
CVE-2026-32277 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Opensource-Workshop Connect-Cms. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-32277 is a DOM-based Cross-Site Scripting (XSS) vulnerability (CWE-79) in Connect-CMS, an open-source content management system. It affects versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, specifically in the Cabinet Plugin list view. The issue was published on 2026-03-23 and carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N).
An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity by tricking a user into performing an action, such as interacting with a maliciously crafted link or input in the Cabinet Plugin list view. Successful exploitation changes the security scope, enabling high-impact confidentiality and integrity violations, such as session hijacking, data theft, or unauthorized modifications within the victim's browser context.
Patches addressing this vulnerability are available in Connect-CMS versions 1.41.1 and 2.41.1. Details on the fix are provided in the GitHub commit c04dc40f814eff891915752ef1ec00ba6612441c, release notes for v1.41.1 and v2.41.1, and the security advisory GHSA-cmfh-mpmf-fmq4.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14568
Vulnerability details
Connect-CMS is a content management system. In versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, a DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view. Versions 1.41.1 and 2.41.1 contain a patch.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
DOM-based XSS enables arbitrary script execution in victim browser, directly facilitating session hijacking (T1185) and web session cookie theft (T1539) as described in the CVE impacts.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the DOM-based XSS vulnerability by requiring timely application of patches released in Connect-CMS versions 1.41.1 and 2.41.1.
Validates inputs to the Cabinet Plugin list view, preventing malicious payloads from being processed client-side into the DOM.
Filters and encodes information outputs in client-side scripts of the Cabinet Plugin, blocking DOM-based XSS execution.