[HIGH] Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information

PKSA-mqv7-zr7q-hc9j CVE-2026-32300 GHSA-qr6x-wvxr-8hm9

Affected version: >=2.0.0,<=2.41.0|<=1.41.0

Reported by:
GitHub

[HIGH] Connect CMS: Information Disclosure Due to Improper Authorization through the Page Content Retrieval Feature

PKSA-cxpk-mhkk-3kqb CVE-2026-32299 GHSA-62ch-j6x7-722j

Affected version: >=2.0.0,<=2.40.0|<=1.40.0

Reported by:
GitHub

[MEDIUM] Connect CMS has SSRF in the External Page Migration Feature of its Page Management Plugin

PKSA-h93g-m9xg-91qb CVE-2026-32279 GHSA-jh46-85jr-6ph9

Affected version: >=2.0.0,<=2.41.0|<=1.41.0

Reported by:
GitHub

[HIGH] Connect CMS has Stored Cross-site Scripting (XSS) in the File Field of its Form Plugin

PKSA-2kyx-vx1v-bbq2 CVE-2026-32278 GHSA-mv3p-7p89-wq9p

Affected version: >=2.0.0,<=2.41.0|<=1.41.0

Reported by:
GitHub

[HIGH] Connect-CMS has Arbitrary Code Execution by an Authenticated User in its Code Study Plugin

PKSA-41bx-mcct-sk3j CVE-2026-32276 GHSA-hxqw-6qv7-cqfv

Affected version: >=2.0.0,<2.41.1|<1.41.1

Reported by:
GitHub

[HIGH] Connect-CMS information that is restricted to viewing is visible

PKSA-cq7h-dvpk-527w GHSA-2237-5r9w-vm8j

Affected version: <=1.8.3

Reported by:
GitHub

[MEDIUM] Connect-CMS Access control vulnerability

PKSA-f5w3-swc6-kszw GHSA-5rjc-jc28-cwgg

Affected version: >=2.0.0,<2.4.7|<1.8.7

Reported by:
GitHub

[MEDIUM] Connect-CMS Privilege Escalation Vulnerability

PKSA-2yhq-z83x-hfmm GHSA-qxh3-jgvh-x55j

Affected version: >=2.0.0,<2.3.2|<1.7.2

Reported by:
GitHub