CVE-2026-32278

High

Published: 23 March 2026

Published

23 March 2026

Modified

24 March 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L

EPSS Score 0.0004 13.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32278 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Opensource-Workshop Connect-Cms. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of flaws, including installation of patches for this specific stored XSS vulnerability fixed in Connect-CMS versions 1.41.1 and 2.41.1.

SI-15 Information Output Filtering good match

prevent

Filters information output to prevent execution of malicious scripts from stored content in the Form Plugin's file field, directly addressing the stored XSS (CWE-79).

SI-10 Information Input Validation good match

prevent

Validates inputs including file uploads in the Form Plugin to restrict dangerous file types, mitigating the unrestricted upload (CWE-434) that enables stored XSS.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

Why these techniques?

Stored XSS via unauthenticated remote file upload in public-facing CMS directly enables T1190 (exploiting the app to inject payload). Victim page views trigger client-side execution, mapping to T1189 (drive-by compromise) and T1185 (browser session hijacking for data theft/session theft as described).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Stored Cross-site Scripting (XSS) issue exists in the file field of…

the Form Plugin. Versions 1.41.1 and 2.41.1 contain a patch.

Deeper analysisAI

Connect-CMS, an open-source content management system, is affected by CVE-2026-32278, a stored cross-site scripting (XSS) vulnerability in the file field of its Form Plugin. The issue impacts versions in the 1.x series up to and including 1.41.0, as well as the 2.x series up to and including 2.41.0. It has been assigned a CVSS v3.1 base score of 8.2 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-79 (Improper Neutralization of Input During Web Page Generation).

Unauthenticated attackers can exploit this vulnerability remotely by uploading malicious content through the Form Plugin's file field, which gets stored and executed in users' browsers when the form or related content is accessed. Exploitation requires high attack complexity and user interaction, such as a victim viewing the affected page, but changes the scope to cross-origin, enabling high impacts on confidentiality and integrity—such as session hijacking, data theft, or content manipulation—along with low availability disruption.

The GitHub security advisory (GHSA-mv3p-7p89-wq9p) and related commit detail the patch, which is available in Connect-CMS versions 1.41.1 and 2.41.1; administrators should upgrade to these releases to mitigate the issue.

Details

CWE(s): CWE-434 CWE-79

Affected Products

opensource-workshop

connect-cms

1.0.0 — 1.41.1 · 2.0.0 — 2.41.1

CVEs Like This One

CVE-2026-32277Same product: Opensource-Workshop Connect-Cms

CVE-2026-32299Same product: Opensource-Workshop Connect-Cms

CVE-2026-32276Same product: Opensource-Workshop Connect-Cms

CVE-2026-32300Same product: Opensource-Workshop Connect-Cms

CVE-2025-25142Shared CWE-79

CVE-2026-24769Shared CWE-434, CWE-79

CVE-2026-25648Shared CWE-434, CWE-79

CVE-2026-29859Shared CWE-434, CWE-79

CVE-2025-67289Shared CWE-434, CWE-79

CVE-2025-22132Shared CWE-434, CWE-79

References

https://github.com/opensource-workshop/connect-cms/commit/9d87fe8ecf7f57efbb0e5231be058807734c96b3
Patch · security-advisories@github.com
https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1
Release Notes · security-advisories@github.com
https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1
Release Notes · security-advisories@github.com
https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-mv3p-7p89-wq9p
Vendor Advisory · security-advisories@github.com