Platform
php
Component
opensource-workshop/connect-cms
Opgelost in
1.35.1
2.35.1
1.41.1
CVE-2026-32277 describes a DOM-based Cross-Site Scripting (XSS) vulnerability affecting the Cabinet Plugin within the connect-cms platform. Successful exploitation could allow an attacker to execute arbitrary JavaScript code within a victim's browser, potentially leading to session hijacking, data theft, or other malicious actions. This vulnerability impacts versions 1.x (≥ 1.35.0 ≤ 1.41.0) and 2.x (≥ 2.35.0 ≤ 2.41.0) of the plugin. A patch is available in versions 1.41.1 and 2.41.1.
The primary impact of CVE-2026-32277 is the potential for an attacker to inject and execute malicious JavaScript code within the context of a user's browser session. This can be leveraged to steal sensitive information, such as cookies and session tokens, allowing the attacker to impersonate the user. Furthermore, the attacker could redirect the user to a malicious website, deface the website, or perform other actions on behalf of the user. The vulnerability resides in how saved names are rendered within the Cabinet Plugin's list view, making it susceptible to DOM manipulation. While the description doesn't explicitly mention a specific attack vector beyond DOM manipulation, the potential for client-side code execution is significant.
CVE-2026-32277 was publicly disclosed on 2026-03-23. There is no indication of this vulnerability being actively exploited in the wild or listed on CISA KEV as of this writing. No public proof-of-concept (PoC) code has been released. The vulnerability's DOM-based nature suggests that exploitation might require user interaction, potentially lowering the immediate risk.
Organizations using connect-cms with the Cabinet Plugin in versions 1.35.0 through 1.41.0 or 2.35.0 through 2.41.0 are at risk. This includes those deploying connect-cms in shared hosting environments, as vulnerabilities in plugins can potentially impact multiple users. Legacy configurations that haven't been regularly updated are also particularly vulnerable.
• php: Examine connect-cms application logs for unusual JavaScript execution patterns or error messages related to the Cabinet Plugin.
grep -i 'XSS|javascript' /var/log/apache2/error.log• generic web: Use curl to test the Cabinet Plugin list view with various payloads containing JavaScript code.
curl 'http://your-connect-cms-site/cabinet-plugin/list?name=<script>alert("XSS")</script>' -I• wordpress: (If connect-cms is built on WordPress) Review WordPress plugin files for any modifications or suspicious code related to the Cabinet Plugin. Use grep to search for potentially malicious code.
grep -r 'alert(' /var/www/html/wp-content/plugins/cabinet-plugin/disclosure
Exploit Status
EPSS
0.03% (10% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-32277 is to upgrade the Cabinet Plugin to version 1.41.1 or 2.41.1. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious input in the Cabinet Plugin's list view. Specifically, look for patterns indicative of JavaScript injection attempts. Additionally, review and sanitize any user-supplied data before rendering it in the plugin's list view. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) into the Cabinet Plugin's list view and verifying that it does not execute.
Actualice Connect-CMS a la versión 1.41.1 o 2.41.1, o posterior, para corregir la vulnerabilidad XSS en el plugin Cabinet. La actualización contiene un parche que soluciona el problema de seguridad.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-32277 is a DOM-based Cross-Site Scripting (XSS) vulnerability in the Cabinet Plugin of connect-cms, allowing attackers to execute JavaScript in a user's browser.
You are affected if you are using connect-cms with the Cabinet Plugin in versions 1.x (≥ 1.35.0 ≤ 1.41.0) or 2.x (≥ 2.35.0 ≤ 2.41.0).
Upgrade the Cabinet Plugin to version 1.41.1 or 2.41.1. Consider WAF rules as a temporary workaround.
There is currently no evidence of CVE-2026-32277 being actively exploited in the wild.
Refer to the connect-cms security advisory for details: [https://opensource-workshop.github.io/connect-cms/security/advisories/cabinet-plugin-dom-based-xss.html]
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.