CVE-2026-32279: Server-Side Request Forgery in Connect-CMS External Page Migration Vulnerability ID: CVE-2026-32279 CVSS Score: 6.8 Published: 2026-03-23 Connect-CMS versions 1.x through 1.41.0 and 2.x through 2.41.0 contain a Server-Side Request Forgery (SSRF) vulnerability in the External Page Migration feature. Authenticated users with administrative privileges can supply malicious URLs to force the application to issue HTTP requests to arbitrary internal network resources. This allows attackers to bypass perimeter controls and interact with internal systems, loopback interfaces, or cloud provider metadata services. TL;DR An authenticated SSRF in Connect-CMS allows administrators to query internal network services and cloud metadata endpoints due to missing URL validation in the Page Migration plugin. ⚠️ Exploit Status: POC Technical Details Vulnerability Type: Server-Side Request Forgery (SSRF) CWE ID: CWE-918 CVSS v3.1 Score: 6.8 (Medium) Attack Vector: Network Privileges Required: High (Administrator) Impact: Confidentiality (High), Integrity (None), Availability (None) CISA KEV Status: Not Listed Affected Systems Connect-CMS 1.x series up to 1.41.0 Connect-CMS 2.x series up to 2.41.0 Connect-CMS 1.x: <= 1.41.0 (Fixed in: 1.41.1) Connect-CMS 2.x: <= 2.41.0 (Fixed in: 2.41.1) Code Analysis Commit: 617a874 Validation Logic: Introduces UrlUtils::isGlobalHttpUrl for strict destination checking. Commit: 4a1a64a Proxy and Hardening: Disables automatic redirects, enforces middleware integrity, and strips .html upload extension. Mitigation Strategies Upgrade Connect-CMS to a patched version (1.41.1 or 2.41.1). Implement strict egress filtering on the host firewall to block outbound connections to internal IP ranges (RFC 1918) and loopback addresses. Enforce IMDSv2 on all cloud compute instances to prevent SSRF-based metadata extraction. Monitor outbound network traffic from the application server for anomalous connections. Remediation Steps: Identify the current version of Connect-CMS running in the environment. Backup the application database and configuration files. Apply the patch by upgrading to version 1.41.1 (for 1.x installations) or 2.41.1 (for 2.x installations). Verify the integrity of the Page Management Plugin configuration post-upgrade. Validate that egress firewall rules prevent the application server from initiating connections to 169.254.169.254. References GitHub Security Advisory GHSA-jh46-85jr-6ph9 Fix Commit (Validation Logic) Fix Commit (Proxy and Hardening) Release v1.41.1 Release v2.41.1 Read the full report for CVE-2026-32279 on our website for more details including interactive diagrams and full exploit analysis.