Connect-CMS has DOM-based Cross-Site Scripting (XSS) in the Cabinet Plugin List View
Description
Connect-CMS is a content management system. In versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, a DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view. Versions 1.41.1 and 2.41.1 contain a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Connect-CMS Cabinet Plugin list view is vulnerable to DOM-based XSS from versions 1.35.0/2.35.0 through 1.41.0/2.41.0, patched in 1.41.1/2.41.1.
Vulnerability
Overview
The Cabinet Plugin list view in Connect-CMS is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. The issue exists in versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0 [1]. The root cause lies in insufficient sanitization of user-supplied data that is processed and rendered in the DOM of the list view page, allowing an attacker to inject arbitrary JavaScript that executes in the context of the victim's browser.
Exploitation
Scenario
DOM-based XSS is triggered entirely on the client side; the attacker does not need to send a malicious request to the server. Instead, exploitation occurs when a user visits a crafted URL (or otherwise causes hostile data to reach the vulnerable sink in the Cabinet Plugin list view) without requiring authentication to the vulnerable component itself [1]. This makes the attack surface relatively broad: any user who navigates to a specially crafted link can be affected.
Impact
Successful exploitation enables the attacker to execute arbitrary scripts in the victim's browser session within the Connect-CMS domain. This can be used to steal session cookies, capture keystrokes, deface the page, or perform other malicious actions on behalf of the victim — all without direct interaction with the server beyond the initial page load.
Mitigation
The project has released patches in versions 1.41.1 and 2.41.1, which address the issue by properly sanitizing the DOM inputs [3][4]. Users should upgrade to the latest patched version immediately. There are no known workarounds for unpatched installations.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
opensource-workshop/connect-cmsPackagist | >= 1.35.0, < 1.41.1 | 1.41.1 |
opensource-workshop/connect-cmsPackagist | >= 2.35.0, < 2.41.1 | 2.41.1 |
Affected products
2- Range: 1.35.0 - 1.41.0, 2.35.0 - 2.41.0
- opensource-workshop/connect-cmsv5Range: >= 1.35.0, < 1.41.1
Patches
1c04dc40f814eFix: GHSA-cmfh-mpmf-fmq4
1 file changed · +6 −1
resources/views/plugins/user/cabinets/default/index.blade.php+6 −1 modified@@ -583,7 +583,12 @@ // 選択リストの更新 const selectedList = document.getElementById('selected-contents{{$frame_id}}'); if (selectedList) { - selectedList.innerHTML = this.selectedContents.map(name => `<li>${name}</li>`).join(''); + selectedList.textContent = ''; + this.selectedContents.forEach((name) => { + const listItem = document.createElement('li'); + listItem.textContent = name; + selectedList.appendChild(listItem); + }); } // 全選択チェックボックスの更新
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-cmfh-mpmf-fmq4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32277ghsaADVISORY
- github.com/opensource-workshop/connect-cms/commit/c04dc40f814eff891915752ef1ec00ba6612441cghsax_refsource_MISCWEB
- github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1ghsax_refsource_MISCWEB
- github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1ghsax_refsource_MISCWEB
- github.com/opensource-workshop/connect-cms/security/advisories/GHSA-cmfh-mpmf-fmq4ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.