CVE-2026-32277: CVE-2026-32277: Persistent DOM-based XSS in Connect-CMS Cabinet Plugin

CVE-2026-32277: Persistent DOM-based XSS in Connect-CMS Cabinet Plugin

Vulnerability ID: CVE-2026-32277
CVSS Score: 8.7
Published: 2026-03-23

Connect-CMS versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0 contain a high-severity persistent DOM-based Cross-Site Scripting (XSS) vulnerability in the Cabinet Plugin. The vulnerability arises from unsafe use of the .innerHTML property when rendering user-controllable file and folder names. Exploitation requires authenticated access to create a file or folder, but successful execution allows attackers to hijack administrative sessions, escalate privileges, or deface the application.

TL;DR

A persistent DOM-based XSS in the Connect-CMS Cabinet Plugin allows authenticated attackers to execute arbitrary JavaScript in the context of other users' browsers via maliciously crafted file or folder names, leading to potential session hijacking and privilege escalation.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-79
• Attack Vector: Network
• CVSS Score: 8.7 (High)
• Privileges Required: Low
• User Interaction: Required
• Impact: Confidentiality: High, Integrity: High
• Exploit Status: PoC Available

Affected Systems

• Connect-CMS Cabinet Plugin
• Connect-CMS: 1.35.0 <= version <= 1.41.0 (Fixed in: 1.41.1)
• Connect-CMS: 2.35.0 <= version <= 2.41.0 (Fixed in: 2.41.1)

Code Analysis

Commit: c04dc40

Fix DOM XSS in Cabinet Plugin selection list by replacing innerHTML with textContent

Mitigation Strategies

• Upgrade Connect-CMS software to patched versions
• Implement a strict Content Security Policy (CSP) blocking unsafe-inline scripts
• Enforce server-side input validation and sanitization for file and folder names
• Implement Web Application Firewall (WAF) rules targeting common XSS payloads in application inputs

Remediation Steps:

1. Verify current Connect-CMS version checking application logs or administration panel
2. Back up the current CMS database and application files
3. Download Connect-CMS version 1.41.1 or 2.41.1 depending on current branch
4. Apply the update following the official Connect-CMS deployment documentation
5. Audit the Cabinet Plugin database records for existing malicious filenames or anomalous artifacts
6. Clear application and browser caches to ensure the patched JavaScript files are served to clients

References

• Official CVE Record
• NVD Entry
• GitHub Security Advisory: GHSA-cmfh-mpmf-fmq4
• Fix Commit: c04dc40f
• Release v1.41.1
• Release v2.41.1

---

Read the full report for CVE-2026-32277 on our website for more details including interactive diagrams and full exploit analysis.