Connect-CMS flaws allow arbitrary profile changes and stored XSS
Connect-CMS disclosed two high-severity vulnerabilities affecting all 1.x and 2.x releases through 1.41.0 and 2.41.0. The first, CVE-2026-32300, is an improper authorization issue in the My Page profile update feature that can let an authenticated attacker modify arbitrary user information. The flaw is mapped to CWE-285 and CWE-639 and carries a CVSS 3.1 vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, indicating high confidentiality and integrity impact without requiring user interaction.
The second issue, CVE-2026-32278, is a stored cross-site scripting (XSS) vulnerability in the Form Plugin file field. It is mapped in the advisory to CWE-434 and has a CVSS 3.1 vector of AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L, reflecting the potential for attacker-supplied content to execute in users' browsers after interaction. Both vulnerabilities were fixed in 1.41.1 and 2.41.1, with advisories pointing to the relevant patch commit, release tags, and GitHub Security Advisory entries.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Connect-CMS 1.41.1 and 2.41.1 released with fixes
Connect-CMS released patched versions 1.41.1 and 2.41.1 to address both the improper authorization vulnerability and the stored XSS vulnerability. The advisories reference fixing commits and release tags for the patched versions.
Connect-CMS vulnerabilities disclosed to GitHub Security Advisories
GitHub Security Advisories received CVE-2026-32300, an improper authorization flaw in the My Page profile update feature, and CVE-2026-32278, a stored XSS issue in the Form Plugin file field. Both issues affected Connect-CMS 1.x through 1.41.0 and 2.x through 2.41.0.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
CVE-2026-32300 - Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information
cvefeed.io
Open sourceCVE-2026-32278 - Connect CMS has Stored Cross-site Scripting (XSS) in the File Field of its Form Plugin
cvefeed.io
Open sourceCVE-2026-32276 - Connect-CMS has Arbitrary Code Execution by an Authenticated User in its Code Study Plugin
cvefeed.io
Open sourceCVE-2026-32277 - Connect-CMS has DOM-based Cross-Site Scripting (XSS) in the Cabinet Plugin List View
cvefeed.io
Open sourceCVE-2026-32300: CVE-2026-32300: Insecure Direct Object Reference in Connect-CMS Profile Update | CVEReports
cvereports.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Adobe Connect Flaws Expose Users to XSS and Potential Code Execution
Adobe disclosed two high-severity vulnerabilities in **Adobe Connect** affecting versions **2025.3, 12.10, and earlier**, and directed customers to advisory **`APSB26-37`** for remediation. One issue, **`CVE-2026-27246`**, is a DOM-based cross-site scripting flaw classified as **`CWE-79`** that can let an attacker manipulate the browser DOM and run malicious JavaScript in a victim’s session after luring the user to a crafted webpage. The vulnerability carries a CVSS v3.1 vector of **`AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N`**, indicating network reachability, low attack complexity, no privileges required, and high confidentiality and integrity impact. Adobe also disclosed **`CVE-2026-34615`**, a **`CWE-502`** deserialization of untrusted data vulnerability in the same product versions that can lead to arbitrary code execution in the context of the current user. Adobe said exploitation of the deserialization flaw does not require user interaction, making it the more serious of the two issues, while both bugs were published through Adobe’s PSIRT process and affect the same supported and earlier Adobe Connect releases. Organizations using Adobe Connect should prioritize patching exposed deployments and reviewing the vendor advisory for fixed versions and mitigation guidance.
May 24, 2026
Unauthenticated SQL Injection Flaws Expose Data in CMSsite and XATABoost CMS
Two content management systems were identified with **unauthenticated SQL injection** vulnerabilities that allow remote attackers to tamper with backend database queries and extract sensitive information. `CVE-2019-25697` affects **CMSsite 1.0**, where the `cat_id` parameter in `category.php` can be abused through crafted `GET` requests, potentially exposing usernames, credentials, and other database contents. A separate flaw, `CVE-2018-25300`, affects **XATABoost CMS 1.0.0** through a **union-based SQL injection** in the `id` parameter of `news.php`, also reachable remotely without authentication via crafted `GET` requests. Both records were published with **CWE-89** classification, CVSS v3.1 and v4.0 scoring data, and references to public advisories and exploit resources, underscoring the risk of database compromise in internet-exposed deployments.
Apr 29, 2026
CI4MS Stored DOM XSS Flaws Enable Account Takeover and Privilege Escalation
Two high-severity vulnerabilities in **CI4MS**, a CodeIgniter 4-based CMS skeleton, allow authenticated low-privilege users to trigger **stored DOM-based XSS** that can lead to full account takeover across roles and privilege escalation. **`CVE-2026-34558`** affects the **Methods Management** functionality, where improperly sanitized and encoded user input can be stored server-side and later executed in administrative interfaces and global navigation components. A second flaw, **`CVE-2026-34565`**, impacts **Menu Management** for posts, where malicious post data added to navigation menus can execute in both admin dashboards and public-facing menus. Both issues are classified as **CWE-79** and carry the same **CVSS v3.1** vector, `AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L`; they affect CI4MS versions prior to **`0.31.0.0`** and were patched in **`0.31.0.0`**.
Apr 6, 2026