CVE-2026-32277

High

Published: 23 March 2026

Published

23 March 2026

Modified

24 March 2026

KEV Added

—

Patch

—

CVSS Score 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score 0.0001 2.8th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32277 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Opensource-Workshop Connect-Cms. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Browser Session Hijacking (T1185) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the DOM-based XSS vulnerability by requiring timely application of patches released in Connect-CMS versions 1.41.1 and 2.41.1.

SI-10 Information Input Validation good match

prevent

Validates inputs to the Cabinet Plugin list view, preventing malicious payloads from being processed client-side into the DOM.

SI-15 Information Output Filtering good match

prevent

Filters and encodes information outputs in client-side scripts of the Cabinet Plugin, blocking DOM-based XSS execution.

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

Why these techniques?

DOM-based XSS enables arbitrary script execution in victim browser, directly facilitating session hijacking (T1185) and web session cookie theft (T1539) as described in the CVE impacts.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Connect-CMS is a content management system. In versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, a DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view. Versions 1.41.1 and 2.41.1 contain a patch.

Deeper analysisAI

CVE-2026-32277 is a DOM-based Cross-Site Scripting (XSS) vulnerability (CWE-79) in Connect-CMS, an open-source content management system. It affects versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, specifically in the Cabinet Plugin list view. The issue was published on 2026-03-23 and carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N).

An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity by tricking a user into performing an action, such as interacting with a maliciously crafted link or input in the Cabinet Plugin list view. Successful exploitation changes the security scope, enabling high-impact confidentiality and integrity violations, such as session hijacking, data theft, or unauthorized modifications within the victim's browser context.

Patches addressing this vulnerability are available in Connect-CMS versions 1.41.1 and 2.41.1. Details on the fix are provided in the GitHub commit c04dc40f814eff891915752ef1ec00ba6612441c, release notes for v1.41.1 and v2.41.1, and the security advisory GHSA-cmfh-mpmf-fmq4.