Overview
CVE-2026-32279 describes a Server-Side Request Forgery (SSRF) vulnerability in Connect-CMS where the external page migration feature of the Page Management Plugin could be abused. Versions 1.x up to 1.41.0 and 2.x up to 2.41.0 are affected; a patch was released in 1.41.1 and 2.41.1. The vulnerability allows an attacker-controlled URL to be requested by the server without proper validation, potentially enabling access to internal services, cloud endpoints, or other protected resources. This falls under CWE-918 (SSRF) and is exploitable when user-supplied input is used to fetch remote content during migration or proxy-like operations. In Go-based services built with Gin, SSRF can occur when an endpoint accepts a URL from a client and fetches it server-side without validating the target, making internal networks or sensitive services reachable via the server. The remediation pattern is to validate, constrain, and sanitize the target URL before performing network requests, or to avoid direct user-controlled fetches altogether.
Affected Versions
Connect-CMS 1.x up to 1.41.0; Connect-CMS 2.x up to 2.41.0; patched in 1.41.1 and 2.41.1
Code Fix Example
Go (Gin) API Security Remediation
package main\n\nimport (\n "errors"\n "io"\n "net"\n "net/http"\n "net/url"\n "time"\n\n "github.com/gin-gonic/gin"\n)\n\n// Vulnerable pattern: fetch user-supplied URL directly\nfunc vulnerableFetch(target string) (string, error) {\n resp, err := http.Get(target)\n if err != nil { return "", err }\n defer resp.Body.Close()\n body, err := io.ReadAll(resp.Body)\n if err != nil { return "", err }\n return string(body), nil\n}\n\nfunc isPrivateIP(ip net.IP) bool {\n if ip4 := ip.To4(); ip4 != nil {\n if ip4[0] == 10 { return true }\n if ip4[0] == 172 && ip4[1] >= 16 && ip4[1] <= 31 { return true }\n if ip4[0] == 192 && ip4[1] == 168 { return true }\n if ip4[0] == 127 { return true }\n }\n return false\n}\n\nfunc validTarget(u *url.URL) bool {\n if u.Scheme != "http" && u.Scheme != "https" { return false }\n host := u.Hostname()\n ips, err := net.LookupIP(host)\n if err != nil { return false }\n for _, ip := range ips {\n if isPrivateIP(ip) { return false }\n }\n return true\n}\n\nfunc safeFetch(target string) (string, error) {\n u, err := url.Parse(target)\n if err != nil { return "", err }\n if !validTarget(u) { return "", errors.New("target not allowed") }\n client := http.Client{ Timeout: 5 * time.Second }\n resp, err := client.Get(target)\n if err != nil { return "", err }\n defer resp.Body.Close()\n body, err := io.ReadAll(resp.Body)\n if err != nil { return "", err }\n return string(body), nil\n}\n\nfunc main() {\n r := gin.Default()\n r.GET("/vuln/migrate", func(c *gin.Context) {\n target := c.Query("target")\n if target == "" { c.String(400, "missing target"); return }\n body, err := vulnerableFetch(target)\n if err != nil { c.String(500, "error: %v", err); return }\n c.String(200, body)\n })\n r.GET("/fix/migrate", func(c *gin.Context) {\n target := c.Query("target")\n if target == "" { c.String(400, "missing target"); return }\n body, err := safeFetch(target)\n if err != nil { c.String(500, "error: %v", err); return }\n c.String(200, body)\n })\n r.Run(":8080")\n}\n