CVE-2026-32276

Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an authenticated user may be able to execute arbitrary code in the Code Study Plugin. Versions 1.41.1 and 2.41.1 contain a patch.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/opensource-workshop/connect-cms/commit/c0bcd07fc1e9375941aa1295d044328ecd44ed85	Patch
https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1	Release Notes
https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1	Release Notes
https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-hxqw-6qv7-cqfv	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:opensource-workshop:connect-cms::::::::
	cpe:2.3:a:opensource-workshop:connect-cms::::::::

History

No history.

Information

Published : 2026-03-23 22:16

Updated : 2026-03-24 19:58

NVD link : CVE-2026-32276

Mitre link : CVE-2026-32276

CVE.ORG link : CVE-2026-32276

JSON object : View

Products Affected

opensource-workshop

connect-cms

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2026-32276", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-03-23T22:16:27.050", "references": [{"url": "https://github.com/opensource-workshop/connect-cms/commit/c0bcd07fc1e9375941aa1295d044328ecd44ed85", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-hxqw-6qv7-cqfv", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an authenticated user may be able to execute arbitrary code in the Code Study Plugin. Versions 1.41.1 and 2.41.1 contain a patch."}, {"lang": "es", "value": "Connect-CMS es un sistema de gesti\u00f3n de contenido. En versiones de la serie 1.x hasta la 1.41.0 inclusive y versiones de la serie 2.x hasta la 2.41.0 inclusive, un usuario autenticado podr\u00eda ejecutar c\u00f3digo arbitrario en el plugin Code Study. Las versiones 1.41.1 y 2.41.1 contienen un parche."}], "lastModified": "2026-03-24T19:58:16.700", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:opensource-workshop:connect-cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "60B8BBDF-82BD-486D-AE17-7F59360E62C3", "versionEndExcluding": "1.41.1", "versionStartIncluding": "1.0.0"}, {"criteria": "cpe:2.3:a:opensource-workshop:connect-cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0C11B4F0-DF29-473A-A285-9DA152DDCDE1", "versionEndExcluding": "2.41.1", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}