Listen to this Post
How the CVE Works
The vulnerability exists within the Form Plugin component of Connect CMS. When an administrator creates or modifies a form, the plugin includes a “File Field” type that allows users to upload files. The software fails to properly sanitize or validate the filename of the uploaded file. An attacker with contributor-level access (or any role permitted to submit form entries) can upload a file with a malicious filename containing JavaScript payloads, such as <script>alert('XSS')</script>.png.
Because the application stores this filename and subsequently renders it in the administrative dashboard (e.g., in the form entry review panel or file management interface) without proper output encoding, the payload executes in the context of the administrator’s browser. This leads to Stored Cross-site Scripting (XSS). The attack occurs when an administrator views the submitted entry, triggering the script. This can result in session hijacking, unauthorized actions performed on behalf of the admin, or theft of sensitive data.
dailycve form:
Platform: Connect CMS
Version: <=1.41.0, 2.0.0-2.41.0
Vulnerability : Stored Cross-site Scripting
Severity: High
date: 2026-03-23
Prediction: 2026-03-24 (Already Patched)
What Undercode Say:
Analytics
Check installed version composer show opensource-workshop/connect-cms | grep versions Verify Form Plugin version grep '"version"' plugins/form/composer.json Scan for vulnerable file fields grep -r "type.file" plugins/form/templates/
Exploit:
Upload a file with malicious filename curl -X POST -F "[email protected];filename=\"<script>alert('CVE-2026-XXXX')</script>.png\"" \ https://target.com/form/upload
Protection from this CVE
Update to patched versions: 1.41.1 or 2.41.1. Sanitize filenames using `preg_replace` to allow only alphanumeric characters and safe delimiters. Apply `htmlspecialchars()` with `ENT_QUOTES` when rendering filenames in the admin panel.
Impact
Arbitrary JavaScript execution in admin context, leading to privilege escalation, session theft, and unauthorized modification of CMS configurations or content.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

