Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/opensource-workshop/connect-cms@2.41.1
purl pkg:composer/opensource-workshop/connect-cms@2.41.1
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (6)
Vulnerability Summary Aliases
VCID-1b73-scr2-jucp Connect CMS: Information Disclosure Due to Improper Authorization through the Page Content Retrieval Feature # Security Advisory — Page Content Retrieval (Improper Authorization) ## Summary An improper authorization issue in the page content retrieval feature may allow retrieval of non-public information. ## Affected Versions - 1.x series: <= 1.41.0 - 2.x series: <= 2.41.0 ## Patched Versions - 1.41.1 - 2.41.1 ## Description In part of the page content retrieval feature, insufficient authorization checks could allow processing associated with non-public pages to be executed. If exploited, the contents and attachments of non-public pages may be obtained by a third party. Users affected by this vulnerability should update to a fixed version. ## Solution Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later. ## Credits OpenSource WorkShop thanks **Sho Odagiri** (小田切 祥) of **GMO Cybersecurity by Ierae, Inc.** for reporting this vulnerability. CVE-2026-32299
GHSA-62ch-j6x7-722j
VCID-3mj1-nbj8-c3gn Connect CMS has SSRF in the External Page Migration Feature of its Page Management Plugin # Security Advisory — Page Management Plugin (SSRF) ## Summary A Server-Side Request Forgery (SSRF) issue exists in the external page migration feature of the Page Management Plugin. ## Affected Versions - 1.x series: <= 1.41.0 - 2.x series: <= 2.41.0 ## Patched Versions - 1.41.1 - 2.41.1 ## Description In the external page migration feature of the Page Management Plugin, a Server-Side Request Forgery (SSRF) issue could occur. If exploited, it may allow access to internal destinations and could result in information disclosure. Exploitation requires privileges that allow use of the page management screen. Users affected by this vulnerability should update to a fixed version. ## Solution Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later. ## Credits OpenSource WorkShop thanks **Sho Odagiri** (小田切 祥) of **GMO Cybersecurity by Ierae, Inc.** for reporting this vulnerability. CVE-2026-32279
GHSA-jh46-85jr-6ph9
VCID-7a8g-3pmq-kkej Connect CMS has Stored Cross-site Scripting (XSS) in the File Field of its Form Plugin # Security Advisory — Form Plugin (Stored XSS) ## Summary A Stored Cross-site Scripting (XSS) issue exists in the file field of the Form Plugin. ## Affected Versions - 1.x series: <= 1.41.0 - 2.x series: <= 2.41.0 ## Patched Versions - 1.41.1 - 2.41.1 ## Description In the file field of the Form Plugin, Stored Cross-site Scripting (XSS) could occur. If exploited, arbitrary script could run in an administrator's browser, which may lead to unauthorized actions or information theft. Users affected by this vulnerability should update to a fixed version. ## Solution Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later. ## Credits OpenSource WorkShop thanks **Sho Odagiri** (小田切 祥) of **GMO Cybersecurity by Ierae, Inc.** for reporting this vulnerability. CVE-2026-32278
GHSA-mv3p-7p89-wq9p
VCID-mj73-wmdy-fben Connect-CMS has Arbitrary Code Execution by an Authenticated User in its Code Study Plugin # Security Advisory — Code Study Plugin ## Summary An authenticated user may be able to execute arbitrary code in the Code Study Plugin. ## Affected Versions - 1.x series: <= 1.41.0 - 2.x series: <= 2.41.0 ## Patched Versions - 1.41.1 - 2.41.1 ## Description In the Code Study Plugin, an authenticated user could trigger unintended code execution. If exploited, it may lead to code execution on the server or information disclosure. Users affected by this vulnerability should update to a fixed version. ## Solution Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later. ## Credits OpenSource WorkShop thanks **Sho Odagiri** (小田切 祥) of **GMO Cybersecurity by Ierae, Inc.** for reporting this vulnerability. CVE-2026-32276
GHSA-hxqw-6qv7-cqfv
VCID-nb92-9124-k3hp Connect-CMS has DOM-based Cross-Site Scripting (XSS) in the Cabinet Plugin List View # Security Advisory — Cabinet Plugin (DOM-based XSS) ## Summary A DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view. ## Affected Versions - 1.x series: >= 1.35.0, <= 1.41.0 - 2.x series: >= 2.35.0, <= 2.41.0 ## Patched Versions - 1.41.1 - 2.41.1 ## Description In the Cabinet Plugin list view, DOM-based Cross-Site Scripting (XSS) could occur due to how saved names were rendered. If exploited, arbitrary script could run in the victim's browser, which may lead to unauthorized actions or information theft. Exploitation requires that the attacker be able to reach the affected functionality as an authenticated user. Users affected by this vulnerability should update to a fixed version. ## Solution Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later. ## Credits OpenSource WorkShop thanks **Sho Odagiri** (小田切 祥) of **GMO Cybersecurity by Ierae, Inc.** for reporting this vulnerability. CVE-2026-32277
GHSA-cmfh-mpmf-fmq4
VCID-qm2m-cwm1-s3fk Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information # Security Advisory — My Page Profile Update (Improper Authorization) ## Summary An improper authorization issue in the My Page profile update feature may allow modification of arbitrary user information. ## Affected Versions - 1.x series: <= 1.41.0 - 2.x series: <= 2.41.0 ## Patched Versions - 1.41.1 - 2.41.1 ## Description In part of the My Page profile update feature, another user's profile information or password could be modified. If exploited, arbitrary user accounts may be taken over. Exploitation requires that the attacker be able to reach the affected functionality as an authenticated user. Users affected by this vulnerability should update to a fixed version. ## Solution Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later. ## Credits OpenSource WorkShops thanks **Sho Odagiri** (小田切 祥) of **GMO Cybersecurity by Ierae, Inc.** for reporting this vulnerability. CVE-2026-32300
GHSA-qr6x-wvxr-8hm9

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-07T20:52:08.475096+00:00 GHSA Importer Fixing VCID-qm2m-cwm1-s3fk https://github.com/advisories/GHSA-qr6x-wvxr-8hm9 38.6.0
2026-06-07T20:52:08.370123+00:00 GHSA Importer Fixing VCID-1b73-scr2-jucp https://github.com/advisories/GHSA-62ch-j6x7-722j 38.6.0
2026-06-07T20:52:08.266527+00:00 GHSA Importer Fixing VCID-3mj1-nbj8-c3gn https://github.com/advisories/GHSA-jh46-85jr-6ph9 38.6.0
2026-06-07T20:52:08.132325+00:00 GHSA Importer Fixing VCID-7a8g-3pmq-kkej https://github.com/advisories/GHSA-mv3p-7p89-wq9p 38.6.0
2026-06-07T20:52:08.073266+00:00 GHSA Importer Fixing VCID-nb92-9124-k3hp https://github.com/advisories/GHSA-cmfh-mpmf-fmq4 38.6.0
2026-06-07T20:52:07.969247+00:00 GHSA Importer Fixing VCID-mj73-wmdy-fben https://github.com/advisories/GHSA-hxqw-6qv7-cqfv 38.6.0
2026-06-07T03:17:24.367984+00:00 GitLab Importer Fixing VCID-nb92-9124-k3hp https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/opensource-workshop/connect-cms/CVE-2026-32277.yml 38.6.0
2026-06-07T03:17:24.074990+00:00 GitLab Importer Fixing VCID-qm2m-cwm1-s3fk https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/opensource-workshop/connect-cms/CVE-2026-32300.yml 38.6.0
2026-06-07T03:17:23.889042+00:00 GitLab Importer Fixing VCID-7a8g-3pmq-kkej https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/opensource-workshop/connect-cms/CVE-2026-32278.yml 38.6.0
2026-06-07T03:17:23.754469+00:00 GitLab Importer Fixing VCID-3mj1-nbj8-c3gn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/opensource-workshop/connect-cms/CVE-2026-32279.yml 38.6.0
2026-06-07T03:17:23.044343+00:00 GitLab Importer Fixing VCID-1b73-scr2-jucp https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/opensource-workshop/connect-cms/CVE-2026-32299.yml 38.6.0
2026-06-07T03:17:22.998235+00:00 GitLab Importer Fixing VCID-mj73-wmdy-fben https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/opensource-workshop/connect-cms/CVE-2026-32276.yml 38.6.0
2026-06-04T16:59:19.502855+00:00 GithubOSV Importer Fixing VCID-3mj1-nbj8-c3gn https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-jh46-85jr-6ph9/GHSA-jh46-85jr-6ph9.json 38.6.0
2026-06-04T16:58:48.138821+00:00 GithubOSV Importer Fixing VCID-qm2m-cwm1-s3fk https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-qr6x-wvxr-8hm9/GHSA-qr6x-wvxr-8hm9.json 38.6.0
2026-06-04T16:57:41.244134+00:00 GithubOSV Importer Fixing VCID-7a8g-3pmq-kkej https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mv3p-7p89-wq9p/GHSA-mv3p-7p89-wq9p.json 38.6.0
2026-06-04T16:57:38.376810+00:00 GithubOSV Importer Fixing VCID-nb92-9124-k3hp https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-cmfh-mpmf-fmq4/GHSA-cmfh-mpmf-fmq4.json 38.6.0
2026-06-04T16:57:08.482261+00:00 GithubOSV Importer Fixing VCID-1b73-scr2-jucp https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-62ch-j6x7-722j/GHSA-62ch-j6x7-722j.json 38.6.0
2026-06-04T16:56:52.754356+00:00 GithubOSV Importer Fixing VCID-mj73-wmdy-fben https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-hxqw-6qv7-cqfv/GHSA-hxqw-6qv7-cqfv.json 38.6.0