CVE-2026-32277: Persistent DOM-based XSS in Connect-CMS Cabinet Plugin

Connect-CMS utilizes the Cabinet Plugin to manage files and folders within the administrative interface. The application processes user-supplied file and folder metadata, specifically item names, and dynamically renders them in the frontend view using client-side JavaScript. This architecture introduces an attack surface where maliciously crafted data can interact with browser-side rendering logic.

CVE-2026-32277 represents a persistent DOM-based Cross-Site Scripting (XSS) vulnerability categorized under CWE-79. The flaw specifically resides in the index.blade.php file associated with the Cabinet Plugin's list view interface. The vulnerability affects the 1.x release branch from version 1.35.0 to 1.41.0, and the 2.x release branch from version 2.35.0 to 2.41.0.

The attack vector requires the adversary to possess an authenticated account with sufficient privileges to upload files or create directories within the Cabinet Plugin. By supplying a crafted string containing HTML and JavaScript as the file or folder name, the attacker embeds a persistent payload into the application database. The payload lies dormant until an authorized user accesses the affected interface.

The developers resolved the vulnerability in versions 1.41.1 and 2.41.1. The remediation involved replacing the vulnerable DOM manipulation methods with safe, text-only assignments, neutralizing the execution of injected HTML tags.

The fundamental mechanism of this vulnerability is the unsafe assignment of untrusted, user-controllable data to a sensitive Document Object Model (DOM) sink. In the affected versions of Connect-CMS, the frontend JavaScript logic manages a selection list reflecting the files or folders a user has chosen within the Cabinet interface. The application stores the names of these selected items in a client-side array named this.selectedContents.

To update the user interface, the application maps over the this.selectedContents array, wraps each item name in an HTML list item (<li>) tag using template literals, and concatenates the results into a single string. This approach relies on string interpolation to construct dynamic HTML structures based on data retrieved from the application backend.

The critical flaw manifests when the application assigns this concatenated string directly to the .innerHTML property of the DOM element identified by selected-contents{{$frame_id}}. The .innerHTML property serves as an execution sink. When a browser processes an assignment to .innerHTML, it invokes its internal HTML parser to interpret the string.

Because the application performs no contextual escaping or sanitization prior to the assignment, the browser parses any embedded HTML tags within the file or folder names as active markup rather than literal text. Consequently, script elements or event handlers injected into the metadata execute immediately within the security context of the user viewing the interface.

An examination of the vulnerable code path reveals the explicit use of the .innerHTML property for DOM updates. The logic retrieves the target element by its ID and directly updates its content using the map and join array methods on the this.selectedContents data structure.

// Vulnerable Code Fragment (index.blade.php)
const selectedList = document.getElementById('selected-contents{{$frame_id}}');
if (selectedList) {
    // UNSAFE: name is interpolated into a string and parsed as HTML
    selectedList.innerHTML = this.selectedContents.map(name => `<li>${name}</li>`).join('');
}

The patch implemented in commit c04dc40f814eff891915752ef1ec00ba6612441c refactors the DOM update mechanism to utilize safe API endpoints. The developers replaced the string concatenation approach with programmatic element creation and text assignment.

// Patched Code Fragment (index.blade.php)
const selectedList = document.getElementById('selected-contents{{$frame_id}}');
if (selectedList) {
    // Clear the list safely
    selectedList.textContent = '';
    
    // SAFE: Use textContent to ensure the name is treated as data, not code
    this.selectedContents.forEach((name) => {
        const listItem = document.createElement('li');
        listItem.textContent = name;
        selectedList.appendChild(listItem);
    });
}

The patched logic first clears the list using .textContent = ''. It then iterates through the selected items, explicitly creating a new <li> element using document.createElement('li'). Crucially, the application assigns the user-controlled name to the element using the .textContent property. The .textContent property ensures the browser strict interprets the assigned value as literal text data, neutralizing any embedded HTML entities or script tags.

Exploitation of CVE-2026-32277 begins with the attacker authenticating to the Connect-CMS instance. The attacker requires permissions allowing interaction with the Cabinet Plugin, specifically the ability to create directories or upload files. The application's failure to validate or sanitize input during the creation process facilitates the injection phase.

The attacker constructs a malicious payload designed to escape the presumed context and execute JavaScript. A standard vector involves utilizing an HTML image tag with a manipulated source attribute and an error event handler. For example, the attacker names a new folder "><img src=x onerror=alert(document.domain)>. The CMS backend processes this request and stores the malicious string persistently in the database as a legitimate item name.

The execution phase triggers when a victim, such as a site administrator, accesses the Cabinet Plugin's list view. As the interface loads or as the user selects the maliciously named item, the vulnerable JavaScript logic retrieves the stored payload. The application assigns the payload to the DOM via the .innerHTML sink, prompting the victim's browser to parse the injected HTML and execute the specified JavaScript payload.

The primary consequence of successful exploitation is arbitrary JavaScript execution within the security context of the victim's browser session. This execution bypasses Same-Origin Policy (SOP) restrictions, granting the malicious script full access to the Document Object Model, session cookies, and local storage data associated with the Connect-CMS domain.

Attackers frequently leverage this access to perform browser session hijacking (MITRE ATT&CK T1185). By exfiltrating authentication tokens or session cookies via asynchronous background requests to an attacker-controlled server, the adversary can subsequently authenticate to the CMS using the victim's identity without requiring valid credentials.

The vulnerability facilitates severe privilege escalation scenarios. If the victim accessing the manipulated Cabinet Plugin interface possesses administrative privileges, the injected script can automatically issue authenticated API requests on their behalf. These requests can alter site configurations, manipulate content, or provision new administrative accounts under the attacker's control.

The CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N accurately reflects the threat profile. The attack vector is network-based with low complexity, requiring low privileges for the initial injection but necessitating user interaction for execution. The scope is changed because the injected code affects the user's browser environment, resulting in high impacts to both confidentiality and integrity.

The definitive remediation for CVE-2026-32277 requires upgrading the Connect-CMS installation to the patched versions. Administrators operating the 1.x branch must upgrade to version 1.41.1, while those utilizing the 2.x branch must upgrade to version 2.41.1. These updates contain the commit that eliminates the unsafe .innerHTML assignment within the Cabinet Plugin.

To establish defense-in-depth, organizations should deploy a robust Content Security Policy (CSP). A CSP restricting the script-src directive to explicit, trusted domains and disabling the unsafe-inline directive mitigates the impact of XSS vulnerabilities. If the application attempts to execute an injected inline event handler (such as an onerror attribute), the browser's CSP enforcement will block the execution and report the violation.

Developers must implement comprehensive server-side input validation for all metadata fields. The backend infrastructure should reject requests attempting to save file or folder names containing unescaped HTML control characters (such as angle brackets and quotation marks). Validating input at the boundary prevents the persistence of malicious payloads in the database.

Security teams can detect vulnerable instances by analyzing the application's frontend source code. The presence of the string .innerHTML = this.selectedContents.map within the JavaScript files served by the /plugin/cabinets/index endpoint indicates an unpatched system. Automated vulnerability scanners can utilize this pattern to identify exposure across a fleet of applications.