Description
In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). This payload is then executed in the browser of any user who views the page containing the form. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting.
Published: 2026-03-04
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting in the Legacy Form block
Action: Patch
AI Analysis

Impact

Concrete CMS versions prior to 9.4.8 allow an authenticated user with form‑creation or editing privileges to embed a persistent JavaScript payload into the options of a multiple‑choice question in the Legacy Form block. When any user views a page containing that form, the stored script runs in the visitor’s browser. The flaw is a data‑injection vulnerability (CWE‑79) that exposes users to arbitrary client‑side code execution but does not provide direct server‑side code execution or data exfiltration from the CMS itself.

Affected Systems

All releases of Concrete CMS before 9.4.8 are affected. Users on 9.4.8 or later are not impacted. The official fix begins with version 9.4.8 as noted in the vendor’s release notes and pull request documentation.

Risk and Exploitability

The CVSS v4.0 score of 4.8 indicates moderate severity. The EPSS score is below 1 %, implying that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires legitimate high‑privilege credentials to inject the payload, and the attacker must rely on victims visiting the affected page to trigger the client‑side code. No additional system compromise options are disclosed by the vendor or the CVE description.

Generated by OpenCVE AI on April 18, 2026 at 10:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to version 9.4.8 or later.
  • Replace any Legacy Form blocks on public or internal pages with newer form modules or remove the Legacy Form module entirely as a temporary safeguard.
  • Limit form‑creation and editing permissions to trusted administrators and audit user privileges regularly.

Generated by OpenCVE AI on April 18, 2026 at 10:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f4vq-pj32-gr4q Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability
History

Wed, 04 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Wed, 04 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Wed, 04 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). This payload is then executed in the browser of any user who views the page containing the form. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting.
Title Concrete CMS below version 9.4.8 is vulnerable to a stored cross-site scripting (XSS) in the "Legacy Form" block.
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-03-04T15:42:07.836Z

Reserved: 2026-02-26T02:21:35.988Z

Link: CVE-2026-3241

cve-icon Vulnrichment

Updated: 2026-03-04T15:42:04.105Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T03:16:05.107

Modified: 2026-03-04T21:32:10.597

Link: CVE-2026-3241

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:15:25Z

Weaknesses