HIGHCVE-2026-32277CVSS 8.7

CVE-2026-32277: XSS in connect-cms Cabinet Plugin

Platform

php

Component

opensource-workshop/connect-cms

Fixed in

1.35.1

2.35.1

1.41.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-32277 describes a DOM-based Cross-Site Scripting (XSS) vulnerability affecting the Cabinet Plugin within the connect-cms platform. Successful exploitation could allow an attacker to execute arbitrary JavaScript code within a victim's browser, potentially leading to session hijacking, data theft, or other malicious actions. This vulnerability impacts versions 1.x (≥ 1.35.0 ≤ 1.41.0) and 2.x (≥ 2.35.0 ≤ 2.41.0) of the plugin. A patch is available in versions 1.41.1 and 2.41.1.

Impact and Attack Scenarios

The primary impact of CVE-2026-32277 is the potential for an attacker to inject and execute malicious JavaScript code within the context of a user's browser session. This can be leveraged to steal sensitive information, such as cookies and session tokens, allowing the attacker to impersonate the user. Furthermore, the attacker could redirect the user to a malicious website, deface the website, or perform other actions on behalf of the user. The vulnerability resides in how saved names are rendered within the Cabinet Plugin's list view, making it susceptible to DOM manipulation. While the description doesn't explicitly mention a specific attack vector beyond DOM manipulation, the potential for client-side code execution is significant.

Exploitation Context

CVE-2026-32277 was publicly disclosed on 2026-03-23. There is no indication of this vulnerability being actively exploited in the wild or listed on CISA KEV as of this writing. No public proof-of-concept (PoC) code has been released. The vulnerability's DOM-based nature suggests that exploitation might require user interaction, potentially lowering the immediate risk.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

EPSS

0.03% (10% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impacttotal

CVSS Vector

Affected Software

Componentopensource-workshop/connect-cms

Vendorosv

Affected rangeFixed in

>= 1.35.0, < 1.41.1 – >= 1.35.0, < 1.41.11.35.1

>= 2.35.0, < 2.41.1 – >= 2.35.0, < 2.41.12.35.1

1.35.01.41.1

Weakness Classification (CWE)

CWE-79

Timeline

Reserved2026-03-11
Published2026-03-23
Modified2026-03-25
EPSS updated2026-03-31

Patched 0 days after disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2026-32277 is to upgrade the Cabinet Plugin to version 1.41.1 or 2.41.1. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious input in the Cabinet Plugin's list view. Specifically, look for patterns indicative of JavaScript injection attempts. Additionally, review and sanitize any user-supplied data before rendering it in the plugin's list view. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) into the Cabinet Plugin's list view and verifying that it does not execute.

How to fix

Actualice Connect-CMS a la versión 1.41.1 o 2.41.1, o posterior, para corregir la vulnerabilidad XSS en el plugin Cabinet. La actualización contiene un parche que soluciona el problema de seguridad.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-32277 — XSS in connect-cms Cabinet Plugin?

CVE-2026-32277 is a DOM-based Cross-Site Scripting (XSS) vulnerability in the Cabinet Plugin of connect-cms, allowing attackers to execute JavaScript in a user's browser.

Am I affected by CVE-2026-32277 in connect-cms Cabinet Plugin?

You are affected if you are using connect-cms with the Cabinet Plugin in versions 1.x (≥ 1.35.0 ≤ 1.41.0) or 2.x (≥ 2.35.0 ≤ 2.41.0).

How do I fix CVE-2026-32277 in connect-cms Cabinet Plugin?

Upgrade the Cabinet Plugin to version 1.41.1 or 2.41.1. Consider WAF rules as a temporary workaround.

Is CVE-2026-32277 being actively exploited?

There is currently no evidence of CVE-2026-32277 being actively exploited in the wild.

Where can I find the official connect-cms advisory for CVE-2026-32277?

Refer to the connect-cms security advisory for details: [https://opensource-workshop.github.io/connect-cms/security/advisories/cabinet-plugin-dom-based-xss.html]

NextGuard

Vulnerabilities

Package Information

Last updated: 2.43.0recently

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope: Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: None — no availability impact. Service remains fully operational.