Cyber Resilience

CVE-2026-32277

High

Published: 23 March 2026

Published
23 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0033 24.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32277 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Opensource-Workshop Connect-Cms. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-32277 is a DOM-based Cross-Site Scripting (XSS) vulnerability (CWE-79) in Connect-CMS, an open-source content management system. It affects versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, specifically in the Cabinet Plugin list view. The issue was published on 2026-03-23 and carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N).

An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity by tricking a user into performing an action, such as interacting with a maliciously crafted link or input in the Cabinet Plugin list view. Successful exploitation changes the security scope, enabling high-impact confidentiality and integrity violations, such as session hijacking, data theft, or unauthorized modifications within the victim's browser context.

Patches addressing this vulnerability are available in Connect-CMS versions 1.41.1 and 2.41.1. Details on the fix are provided in the GitHub commit c04dc40f814eff891915752ef1ec00ba6612441c, release notes for v1.41.1 and v2.41.1, and the security advisory GHSA-cmfh-mpmf-fmq4.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Connect-CMS is a content management system. In versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, a DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view. Versions 1.41.1 and 2.41.1 contain a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

DOM-based XSS enables arbitrary script execution in victim browser, directly facilitating session hijacking (T1185) and web session cookie theft (T1539) as described in the CVE impacts.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32278Same product: Opensource-Workshop Connect-Cms
CVE-2026-32299Same product: Opensource-Workshop Connect-Cms
CVE-2026-32300Same product: Opensource-Workshop Connect-Cms
CVE-2026-32276Same product: Opensource-Workshop Connect-Cms
CVE-2026-34561Shared CWE-79
CVE-2025-25102Shared CWE-79
CVE-2025-23429Shared CWE-79
CVE-2025-26918Shared CWE-79
CVE-2026-46367Shared CWE-79
CVE-2026-27332Shared CWE-79

Affected Assets

opensource-workshop
connect-cms
1.35.0 — 1.41.1 · 2.35.0 — 2.41.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the DOM-based XSS vulnerability by requiring timely application of patches released in Connect-CMS versions 1.41.1 and 2.41.1.

prevent

Validates inputs to the Cabinet Plugin list view, preventing malicious payloads from being processed client-side into the DOM.

prevent

Filters and encodes information outputs in client-side scripts of the Cabinet Plugin, blocking DOM-based XSS execution.

References