Connect CMS, Stored XSS, CVE-2026-XXXX (High)

Listen to this Post

How the CVE Works

The vulnerability exists within the Form Plugin component of Connect CMS. When an administrator creates or modifies a form, the plugin includes a “File Field” type that allows users to upload files. The software fails to properly sanitize or validate the filename of the uploaded file. An attacker with contributor-level access (or any role permitted to submit form entries) can upload a file with a malicious filename containing JavaScript payloads, such as <script>alert('XSS')</script>.png.
Because the application stores this filename and subsequently renders it in the administrative dashboard (e.g., in the form entry review panel or file management interface) without proper output encoding, the payload executes in the context of the administrator’s browser. This leads to Stored Cross-site Scripting (XSS). The attack occurs when an administrator views the submitted entry, triggering the script. This can result in session hijacking, unauthorized actions performed on behalf of the admin, or theft of sensitive data.

dailycve form:

Platform: Connect CMS
Version: <=1.41.0, 2.0.0-2.41.0
Vulnerability : Stored Cross-site Scripting
Severity: High
date: 2026-03-23

Prediction: 2026-03-24 (Already Patched)

What Undercode Say:

Analytics

Check installed version
composer show opensource-workshop/connect-cms | grep versions
Verify Form Plugin version
grep '"version"' plugins/form/composer.json
Scan for vulnerable file fields
grep -r "type.file" plugins/form/templates/

Exploit:

Upload a file with malicious filename
curl -X POST -F "[email protected];filename=\"<script>alert('CVE-2026-XXXX')</script>.png\"" \
https://target.com/form/upload

Protection from this CVE

Update to patched versions: 1.41.1 or 2.41.1. Sanitize filenames using `preg_replace` to allow only alphanumeric characters and safe delimiters. Apply `htmlspecialchars()` with `ENT_QUOTES` when rendering filenames in the admin panel.

Impact

Arbitrary JavaScript execution in admin context, leading to privilege escalation, session theft, and unauthorized modification of CMS configurations or content.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top