CVE-2026-32278: CVE-2026-32278: Stored Cross-Site Scripting (XSS) via Unrestricted File Upload in Connect-CMS

CVE-2026-32278: Stored Cross-Site Scripting (XSS) via Unrestricted File Upload in Connect-CMS Vulnerability ID: CVE-2026-32278 CVSS Score: 8.2 Published: 2026-03-23 Connect-CMS versions up to 1.41.0 and 2.41.0 suffer from a Stored Cross-Site Scripting (XSS) vulnerability within the Form Plugin. The application fails to adequately validate file extensions and MIME types on upload, allowing unauthenticated attackers to store malicious HTML files on the server. When an administrator views the uploaded file, the payload executes within the context of the CMS domain, enabling administrative session hijacking. TL;DR A critical file upload flaw in Connect-CMS allows unauthenticated users to upload malicious HTML files containing JavaScript. When an administrator views these submissions, the script executes, leading to potential account takeover. ⚠️ Exploit Status: POC Technical Details Vulnerability Type: Stored Cross-Site Scripting (XSS) CWE ID: CWE-434 CVSS v3.1 Score: 8.2 (HIGH) Attack Vec