Concrete CMS versions older than 9.4.8 permit a user who can edit a page that includes the Legacy form element to store malicious script payloads in the Question field. When a high‑privilege user later views that page, the stored script executes in the user’s browser context, potentially allowing the attacker to capture credentials, hijack sessions, or perform other browser‑based abuses. The vulnerability is a classic input validation flaw classified as CWE‑79. The impact is therefore a stored cross‑site scripting exposure that can affect the confidentiality and integrity of privileged accounts.

All installations of Concrete CMS, version 9.4.8 and earlier, that use the Legacy form element on a page edit‑able by users, are affected. Any deployment where high‑privilege users can view pages containing this legacy form is at risk unless the CMS is upgraded beyond the affected version.

The CVE carries a CVSS v4.0 score of 4.8, indicating moderate severity. The EPSS score is reported as less than 1%, suggesting low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires only normal edit permissions on a page containing the Legacy form; after injection the payload is served to all users who view the page, particularly high‑privilege accounts. The likely attack vector is through the Question field of the Legacy form, inferred from the description because the supplied data does not explicitly state the entry point but the text indicates it lies there.