CVE-2026-3241

Medium CVSS: 4.8

In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). This payload is then executed in the browser of any user who views the page containing the form. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting.

Vendor

Concretecms

Product

Concrete Cms

CWE

CWE-79

Yayın Tarihi

2026-03-04 03:16:05

Güncelleme

2026-03-04 21:32:10

Source Identifier

ff5b8ace-8b95-4078-9743-eac1ca5451de

KEV Date Added

Kategoriler

CWE-79 Concrete Cms MEDIUM Concretecms 2026

Referanslar

https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes https://github.com/concretecms/concretecms/pull/12826

Benzer Kayıtlar

Medium

CVE-2026-30662

ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method…

Medium

CVE-2026-3242

In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concre…

Low

CVE-2026-2994

Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configu…

Medium

CVE-2026-3240

In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored…

Medium

CVE-2026-3244

In Concrete CMS below version 9.4.8, A stored cross-site scripting (XSS) vulnerability exists in the search block where…

High

CVE-2026-3452

Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express…