DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32276: CVE-2026-32276: Arbitrary Code Execution in Connect-CMS Code Study Plugin

#security #cve #cybersecurity

CVE-2026-32276: Arbitrary Code Execution in Connect-CMS Code Study Plugin

Vulnerability ID: CVE-2026-32276
CVSS Score: 8.8
Published: 2026-03-23

Connect-CMS contains a critical vulnerability in the Code Study Plugin (CWE-94: Improper Control of Generation of Code). The plugin fails to adequately sandbox or sanitize user-supplied PHP and Java code prior to execution. Authenticated attackers with access to the plugin can bypass blacklist-based filters using alternative whitespace or dynamic function calls, resulting in arbitrary remote code execution on the underlying server.

TL;DR

The Connect-CMS Code Study Plugin allows authenticated users to execute arbitrary PHP/Java code due to a flawed blacklist filter. Attackers can bypass the filter to achieve Remote Code Execution (RCE). The vendor remediated the issue in versions 1.41.1 and 2.41.1 by completely removing the vulnerable plugin.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Improper Control of Generation of Code
  • CWE ID: CWE-94
  • CVSS Score: 8.8
  • Attack Vector: Network
  • Privileges Required: Low (Authenticated)
  • Exploit Status: Proof of Concept
  • Fix Approach: Complete removal of the vulnerable component

Affected Systems

  • Connect-CMS Series 1.x <= 1.41.0
  • Connect-CMS Series 2.x <= 2.41.0
  • Connect-CMS: <= 1.41.0 (Fixed in: 1.41.1)
  • Connect-CMS: >= 2.0.0, <= 2.41.0 (Fixed in: 2.41.1)

Code Analysis

Commit: c0bcd07

Removal of the vulnerable Codestudies functionality.

Deleted CodestudiesPlugin.php, associated routing, and controller code.
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Research Context: Proof of Concept demonstrating bypass of the runCheck filter using dynamic function invocation.

Mitigation Strategies

  • Upgrade Connect-CMS to version 1.41.1 or 2.41.1.
  • Manually delete the CodestudiesPlugin.php component if upgrading is not possible.
  • Block access to the /plugin/codestudies/* URI paths at the load balancer or WAF level.

Remediation Steps:

  1. Verify the current installed version of Connect-CMS.
  2. Download the official patch release corresponding to the major version branch (1.41.1 or 2.41.1).
  3. Deploy the update in a staging environment and verify the removal of the Code Study interface.
  4. Apply the update to the production environment.
  5. Review server logs for historical access to the /plugin/codestudies/run endpoint to identify potential past exploitation.

References

Read the full report for CVE-2026-32276 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)