CVE-2026-32276 Connect-CMS has Arbitrary Code Execution by an Authenticated User in its Code Study Plugin

Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an authenticated user may be able to execute arbitrary code in the Code Study Plugin. Versions 1.41.1 and 2.41.1 contain a patch...

CVE-2026-32276 Connect-CMS has Arbitrary Code Execution by an Authenticated User in its Code Study Plugin

Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an authenticated user may be able to execute arbitrary code in the Code Study Plugin. Versions 1.41.1 and 2.41.1 contain a patch...

EUVD-2026-14574

Connect CMS: Information Disclosure Due to Improper Authorization through the Page Content Retrieval Feature...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization through insufficient authorization checks in the page content retrieval. An attacker can access the contents and attachments of non-public pages by sending unauthorized requests. Remediation Upgrade...

EUVD-2026-14573

Connect CMS has SSRF in the External Page Migration Feature of its Page Management Plugin...

EUVD-2026-14570

Connect CMS has Stored Cross-site Scripting XSS in the File Field of its Form Plugin...

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload in the file field of the Form Plugin. An attacker can execute arbitrary scripts in an administrator's browser by uploading specially crafted files, potentially leading to unauthorized actions or information theft...

EUVD-2026-14568

Connect-CMS has DOM-based Cross-Site Scripting XSS in the Cabinet Plugin List View...

EUVD-2026-14566

Connect-CMS has Arbitrary Code Execution by an Authenticated User in its Code Study Plugin...

GHSA-HXQW-6QV7-CQFV Connect-CMS has Arbitrary Code Execution by an Authenticated User in its Code Study Plugin

Security Advisory — Code Study Plugin Summary An authenticated user may be able to execute arbitrary code in the Code Study Plugin. Affected Versions - 1.x series: = 1.41.0 - 2.x series: = 2.41.0 Patched Versions - 1.41.1 - 2.41.1 Description In the Code Study Plugin, an authenticated user could...

Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground

Admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the hashData signing function. This issue was mitigated in versions 3.7.2 and 2.15.2 by disabling...

EUVD-2026-14515

Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground...

GHSA-M59H-42JF-CPHR Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground

Admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the hashData signing function. This issue was mitigated in versions 3.7.2 and 2.15.2 by disabling...

CVE-2026-27131

The Sprig Plugin for Craft CMS is a reactive Twig component framework for Craft CMS. Starting in version 2.0.0 and prior to versions 2.15.2 and 3.15.2, admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other...

CVE-2026-27131 Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground

The Sprig Plugin for Craft CMS is a reactive Twig component framework for Craft CMS. Starting in version 2.0.0 and prior to versions 2.15.2 and 3.15.2, admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other...

CVE-2026-27131

The CVE concerns the Sprig Plugin for Craft CMS. Versions 2.0.0 up to, but not including, 2.15.2 and 3.15.2 expose a risk where admin users or those with Sprig Playground access could reveal the security key, credentials, and other sensitive configuration data, and could also run the hashData() s...

CVE-2026-27131 Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground

The Sprig Plugin for Craft CMS is a reactive Twig component framework for Craft CMS. Starting in version 2.0.0 and prior to versions 2.15.2 and 3.15.2, admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other...

CVE-2026-27131 Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground

The Sprig Plugin for Craft CMS is a reactive Twig component framework for Craft CMS. Starting in version 2.0.0 and prior to versions 2.15.2 and 3.15.2, admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other...

WordPress CMS Commander plugin <= 2.288 - Authenticated (Custom+) SQL Injection via 'or_blogname' Parameter vulnerability

Authenticated Custom+ SQL Injection via 'orblogname' Parameter vulnerability discovered by WordFence in WordPress Plugin CMS Commander versions = 2.288...

PT-2026-27233

Security Advisory — My Page Profile Update Improper Authorization Summary An improper authorization issue in the My Page profile update feature may allow modification of arbitrary user information. Affected Versions - 1.x series: = 1.41.0 - 2.x series: = 2.41.0 Patched Versions - 1.41.1 - 2.41.1...