Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 7016f16e0b7b · 2026-03-23T20:36:24.000Z
GHSA-cmfh-mpmf-fmq4 GHSA-hxqw-6qv7-cqfv
diff --git a/advisories/github-reviewed/2026/03/GHSA-cmfh-mpmf-fmq4/GHSA-cmfh-mpmf-fmq4.json b/advisories/github-reviewed/2026/03/GHSA-cmfh-mpmf-fmq4/GHSA-cmfh-mpmf-fmq4.json
@@ -0,0 +1,88 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cmfh-mpmf-fmq4",
+  "modified": "2026-03-23T20:35:48Z",
+  "published": "2026-03-23T20:35:48Z",
+  "aliases": [
+    "CVE-2026-32277"
+  ],
+  "summary": "Connect-CMS has DOM-based Cross-Site Scripting (XSS) in the Cabinet Plugin List View",
+  "details": "# Security Advisory — Cabinet Plugin (DOM-based XSS)\n\n## Summary\n\nA DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view.\n\n## Affected Versions\n\n- 1.x series: >= 1.35.0, <= 1.41.0\n- 2.x series: >= 2.35.0, <= 2.41.0\n\n## Patched Versions\n\n- 1.41.1\n- 2.41.1\n\n## Description\n\nIn the Cabinet Plugin list view, DOM-based Cross-Site Scripting (XSS) could occur due to how saved names were rendered.\nIf exploited, arbitrary script could run in the victim's browser, which may lead to unauthorized actions or information theft.\nExploitation requires that the attacker be able to reach the affected functionality as an authenticated user.\nUsers affected by this vulnerability should update to a fixed version.\n\n## Solution\n\nUpdate to the fixed version.\nFor the 1.x series, update to 1.41.1 or later.\nFor the 2.x series, update to 2.41.1 or later.\n\n## Credits\n\nOpenSource WorkShop thanks **Sho Odagiri** (小田切 祥) of **GMO Cybersecurity by Ierae, Inc.** for reporting this vulnerability.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "opensource-workshop/connect-cms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.35.0"
+            },
+            {
+              "fixed": "1.41.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "opensource-workshop/connect-cms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.35.0"
+            },
+            {
+              "fixed": "2.41.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-cmfh-mpmf-fmq4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/opensource-workshop/connect-cms/commit/c04dc40f814eff891915752ef1ec00ba6612441c"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/opensource-workshop/connect-cms"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-23T20:35:48Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-hxqw-6qv7-cqfv/GHSA-hxqw-6qv7-cqfv.json b/advisories/github-reviewed/2026/03/GHSA-hxqw-6qv7-cqfv/GHSA-hxqw-6qv7-cqfv.json
@@ -0,0 +1,88 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hxqw-6qv7-cqfv",
+  "modified": "2026-03-23T20:33:34Z",
+  "published": "2026-03-23T20:33:34Z",
+  "aliases": [
+    "CVE-2026-32276"
+  ],
+  "summary": "Connect-CMS has Arbitrary Code Execution by an Authenticated User in its Code Study Plugin",
+  "details": "# Security Advisory — Code Study Plugin\n\n## Summary\n\nAn authenticated user may be able to execute arbitrary code in the Code Study Plugin.\n\n## Affected Versions\n\n- 1.x series: <= 1.41.0\n- 2.x series: <= 2.41.0\n\n## Patched Versions\n\n- 1.41.1\n- 2.41.1\n\n## Description\n\nIn the Code Study Plugin, an authenticated user could trigger unintended code execution. If exploited, it may lead to code execution on the server or information disclosure. Users affected by this vulnerability should update to a fixed version.\n\n## Solution\n\nUpdate to the fixed version.\nFor the 1.x series, update to 1.41.1 or later.\nFor the 2.x series, update to 2.41.1 or later.\n\n## Credits\n\nOpenSource WorkShop thanks **Sho Odagiri** (小田切 祥) of **GMO Cybersecurity by Ierae, Inc.** for reporting this vulnerability.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "opensource-workshop/connect-cms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.41.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "opensource-workshop/connect-cms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.0.0"
+            },
+            {
+              "fixed": "2.41.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-hxqw-6qv7-cqfv"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/opensource-workshop/connect-cms/commit/c0bcd07fc1e9375941aa1295d044328ecd44ed85"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/opensource-workshop/connect-cms"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-94"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-23T20:33:34Z",
+    "nvd_published_at": null
+  }
+}
