HIGHCVE-2026-32300Published 2026-03-23Modified 2026-03-25CNA GitHub_M

CVE-2026-32300: Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information

Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the My Page profile update feature may allow modification of arbitrary user information. Versions 1.41.1 and 2.41.1 contain a patch.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

opensource-workshop / connect-cms
< 1.41.1 · >= 2.0.0, < 2.41.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References

https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-qr6x-wvxr-8hm9
https://github.com/opensource-workshop/connect-cms/commit/7c9951738c62a1d51b91e9956d1eb756c5d52cce
https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1
https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1

Metrics