8.8
CVE-2026-32276
- EPSS 0.46%
- Veröffentlicht 23.03.2026 21:06:32
- Zuletzt bearbeitet 24.03.2026 19:58:16
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginConnect-CMS has Arbitrary Code Execution by an Authenticated User in its Code Study Plugin
Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an authenticated user may be able to execute arbitrary code in the Code Study Plugin. Versions 1.41.1 and 2.41.1 contain a patch.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Opensource-workshop ≫ Connect-cms Version >= 1.0.0 < 1.41.1
Opensource-workshop ≫ Connect-cms Version >= 2.0.0 < 2.41.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.46% | 0.365 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-hxqw-6qv7-cqfv
https://github.com/opensource-workshop/connect-cms/commit/c0bcd07fc1e9375941aa1295d044328ecd44ed85
https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1
https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1