LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-32277

CVE-2026-32277 - Vulnerability Analysis

HighCVSS: 8.7

Last Updated: March 23, 2026

Connect-CMS - Stored XSS

Published: March 23, 2026Updated: March 23, 2026Remote Exploitable

Overview

Connect-CMS 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0 contain a stored XSS caused by improper sanitization in the Cabinet Plugin list view, letting attackers execute scripts in victim browsers, exploit requires victim interaction.

Severity & Score

Severity: High
CVSS Score: 8.7
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can execute scripts in users' browsers, potentially stealing cookies or performing actions on behalf of users.

Mitigation

Update to versions 1.41.1 or 2.41.1 or later.

References

Social Media Activity(4 posts)

TheHackerWire
TheHackerWire
@thehackerwire
Mar 23, 2026

šŸŸ  CVE-2026-32277 - High (8.7) Connect-CMS is a content management system. In versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, a DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view. Versions 1.41.1 and 2.41.1 contain a patch. šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-32277/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 23, 2026

šŸŸ  CVE-2026-32277 - High (8.7) Connect-CMS is a content management system. In versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, a DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view. Versions 1.41.1 and 2.41.1 contain a patch. šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-32277/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 23, 2026

šŸŸ  CVE-2026-32277 - High (8.7) Connect-CMS is a content management system. In versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, a DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view. Versions 1.41.1 and 2.41.1 contain a patch. šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-32277/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 23, 2026

šŸŸ  CVE-2026-32277 - High (8.7) Connect-CMS is a content management system. In versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, a DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view. Versions 1.41.1 and 2.41.1 contain a patch. šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-32277/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-32277
Severity
High
CVSS Score
8.7
Type
stored_xss
Status
new
EPSS
0.0%
Social Posts
4

CWE

  • CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score

0.0%Probability of exploitation in the next 30 days