DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32278: CVE-2026-32278: Stored Cross-Site Scripting (XSS) via Unrestricted File Upload in Connect-CMS

#security #cve #cybersecurity

CVE-2026-32278: Stored Cross-Site Scripting (XSS) via Unrestricted File Upload in Connect-CMS

Vulnerability ID: CVE-2026-32278
CVSS Score: 8.2
Published: 2026-03-23

Connect-CMS versions up to 1.41.0 and 2.41.0 suffer from a Stored Cross-Site Scripting (XSS) vulnerability within the Form Plugin. The application fails to adequately validate file extensions and MIME types on upload, allowing unauthenticated attackers to store malicious HTML files on the server. When an administrator views the uploaded file, the payload executes within the context of the CMS domain, enabling administrative session hijacking.

TL;DR

A critical file upload flaw in Connect-CMS allows unauthenticated users to upload malicious HTML files containing JavaScript. When an administrator views these submissions, the script executes, leading to potential account takeover.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Stored Cross-Site Scripting (XSS)
  • CWE ID: CWE-434
  • CVSS v3.1 Score: 8.2 (HIGH)
  • Attack Vector: Network
  • Privileges Required: None
  • User Interaction: Required
  • Exploit Status: Proof of Concept (PoC) Available

Affected Systems

  • Connect-CMS 1.x up to and including 1.41.0
  • Connect-CMS 2.x up to and including 2.41.0
  • Connect-CMS 1.x: <= 1.41.0 (Fixed in: 1.41.1)
  • Connect-CMS 2.x: <= 2.41.0 (Fixed in: 2.41.1)

Code Analysis

Commit: 9d87fe8

Primary patch for GHSA-mv3p-7p89-wq9p removing inline HTML rendering and enforcing strict MIME/extension validation.

Mitigation Strategies

  • Upgrade Connect-CMS to version 1.41.1 or 2.41.1.
  • Configure strict file extension whitelists on all form upload fields using the new rule_file_extensions setting.
  • Implement Web Application Firewall (WAF) rules to inspect multipart/form-data payloads for malicious extensions and HTML content.
  • Isolate user-uploaded files by serving them from a separate, unprivileged domain to neutralize Same-Origin Policy exploitation.

Remediation Steps:

  1. Back up the current Connect-CMS database and application files.
  2. Pull the latest release corresponding to your major version (1.41.1 or 2.41.1) from the official repository.
  3. Deploy the updated application files to the server.
  4. Log into the Connect-CMS administrative dashboard.
  5. Navigate to the Form Plugin settings.
  6. Review all forms containing a File upload field and explicitly define the allowed extensions (e.g., pdf, jpg, png).
  7. Test form submissions to verify that invalid file types are rejected and valid files are processed correctly.

References

Read the full report for CVE-2026-32278 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)