The vulnerability identified as CVE-2026-32278 affects Connect-CMS, an open-source content management system widely used for website management. The flaw resides in the Form Plugin's file upload functionality, where there is insufficient validation or restriction on the types of files that users can upload (CWE-434: Unrestricted Upload of File with Dangerous Type). This deficiency allows attackers to upload malicious files that can embed scripts, leading to stored Cross-site Scripting (XSS) attacks. When a victim accesses a page that processes or displays the uploaded file, the malicious script executes in their browser context, potentially stealing session tokens, performing actions on behalf of the user, or delivering further payloads. The vulnerability affects all 1.x versions up to 1.41.0 and 2.x versions up to 2.41.0 of Connect-CMS. The vendor has released patches in versions 1.41.1 and 2.41.1 that properly restrict file types and sanitize inputs to prevent this attack vector. The CVSS 3.1 score of 8.2 reflects the network attack vector with high impact on confidentiality and integrity, requiring no privileges but user interaction, and with a scope change due to the potential compromise of user sessions or data. Although no active exploits have been reported, the vulnerability's nature and ease of exploitation through crafted file uploads make it a significant threat to unpatched systems.

The primary impact of this vulnerability is on the confidentiality and integrity of data within affected Connect-CMS installations. Successful exploitation allows attackers to execute arbitrary scripts in the context of authenticated users, potentially leading to session hijacking, data theft, unauthorized actions, and further malware distribution. This can compromise user accounts, administrative functions, and sensitive information managed by the CMS. The availability impact is low but could be indirectly affected if attackers disrupt normal operations or inject malicious payloads that degrade service. Organizations relying on Connect-CMS for public-facing or internal websites are at risk of reputational damage, data breaches, and compliance violations if the vulnerability is exploited. The requirement for user interaction (e.g., visiting a maliciously crafted page) means social engineering or phishing may be used to trigger attacks, increasing the risk in environments with less security awareness.

To mitigate this vulnerability, organizations should immediately upgrade Connect-CMS to versions 1.41.1 or 2.41.1 or later, where the patch has been applied. If immediate upgrade is not feasible, administrators should implement strict file upload restrictions at the web server or application firewall level, allowing only safe file types and scanning uploads for malicious content. Input validation and output encoding should be enforced to prevent script injection. Additionally, deploying Content Security Policy (CSP) headers can help mitigate the impact of stored XSS by restricting script execution sources. User education to recognize phishing attempts and suspicious links can reduce the likelihood of user interaction leading to exploitation. Regular security audits and monitoring for unusual file uploads or web traffic patterns can help detect attempted exploitation. Finally, ensure that all other CMS plugins and dependencies are kept up to date to reduce the attack surface.