Description
In Concrete CMS below version 9.4.8, A stored cross-site scripting (XSS) vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page names that executes when users search for and view those pages in search results. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks zolpak for reporting
Published: 2026-03-04
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via Search Results
Action: Immediate Patch
AI Analysis

Impact

Concrete CMS versions below 9.4.8 render search results without proper HTML encoding, enabling authenticated rogue administrators to insert malicious JavaScript into page names. The embedded script executes in the browsers of users who view those search results, providing a stored XSS vector. The weakness is classified as CWE‑79.

Affected Systems

The vulnerability affects installations of Concrete CMS running any version older than 9.4.8; newer releases are not impacted.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The flaw is not listed in the CISA KEV catalog. Exploitation requires a high‑privilege administrator account, but the CVSS vector indicates the attacker can act remotely, so the attack vector is network rather than strictly internal. Overall the risk remains moderate, but the low exploitation likelihood should not induce complacency, especially for organizations with valuable content.

Generated by OpenCVE AI on April 18, 2026 at 10:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to version 9.4.8 or later, which removes the vulnerability.
  • If an upgrade cannot be performed immediately, disable the standard search block or replace it with a patch that properly encodes output.
  • Restrict the pool of administrators to trusted users and monitor for anomalous page‑name content that may indicate injection attempts.

Generated by OpenCVE AI on April 18, 2026 at 10:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mm5f-5rqw-574f Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability
History

Wed, 04 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Wed, 04 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Wed, 04 Mar 2026 02:00:00 +0000

Type Values Removed Values Added
Description In Concrete CMS below version 9.4.8, A stored cross-site scripting (XSS) vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page names that executes when users search for and view those pages in search results. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks zolpak for reporting
Title Concrete CMS below version 9.4.8 is vulnerable to Stored XSS in Search Results via Page Names
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-03-04T15:50:49.918Z

Reserved: 2026-02-26T02:57:07.148Z

Link: CVE-2026-3244

cve-icon Vulnrichment

Updated: 2026-03-04T15:50:46.217Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T02:15:54.663

Modified: 2026-03-04T21:37:24.850

Link: CVE-2026-3244

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:15:25Z

Weaknesses