Description
Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N.  Thanks Yonatan Drori (Tenzai) for reporting.
Published: 2026-05-21
Score: 2 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS versions 9.5.0 and earlier allow stored cross‑site scripting through the cvName field on external‑link pages because the updateCollectionAliasExternal function bypasses input sanitization. The attacker can persist malicious script code that runs whenever users view the page, enabling session hijacking, content defacement or data exfiltration. The CVSS score of 2.0 indicates a low severity but the stored nature of the flaw means the malicious code will execute in the browsers of any user who loads the vulnerable page.

Affected Systems

Concrete CMS, specifically all releases 9.5.0 through 9.5.0, are affected. No patch version is listed in the advisory, so any installation that has not been upgraded beyond 9.5.0 remains vulnerable.

Risk and Exploitability

With a CVSS score of 2.0 and no EPSS data, the probability of exploitation is not quantified. The flaw is not listed in CISA KEV, suggesting no publicly known exploit. Attackers would need administrative or content‑editor privileges to modify the cvName field and then browse the affected page to trigger the payload, making the practical risk moderate but still warranting remediation.

Generated by OpenCVE AI on May 21, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Concrete CMS 9.5.1 or later to install the stored XSS fix, as described in the release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes
  • Audit existing external‑link pages for unexpected script content and remove or sanitize any entries that contain malicious code
  • Apply server‑side sanitization to the cvName field or implement a custom patch that escapes user input before rendering the link
  • Deploy a Web Application Firewall or enforce a strict Content‑Security‑Policy that blocks execution of arbitrary scripts from the site

Generated by OpenCVE AI on May 21, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N.  Thanks Yonatan Drori (Tenzai) for reporting.
Title Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T21:45:49.849Z

Reserved: 2026-05-07T18:05:51.056Z

Link: CVE-2026-8139

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T22:16:49.533

Modified: 2026-05-21T22:16:49.533

Link: CVE-2026-8139

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T00:00:12Z

Weaknesses