Description
Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that executes in the context of any visitor's browser, potentially leading to session hijacking, credential theft, or other malicious actions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Alfin Joseph for reporting.
Published: 2026-05-21
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS versions 9.5.0 and earlier allow an editor‑level user to submit an unsanitized height value to a controller. The value is stored directly and rendered in the page, enabling the attacker to embed arbitrary JavaScript. The injected script executes in every visitor's browser in the same session as the site, providing a vector for session hijacking, credential theft, or other malicious client‑side actions.

Affected Systems

Concrete CMS installations running 9.5.0 or earlier, that have not applied the official height‑parameter validation fix, are vulnerable. Any user granted editor or equivalent editing permissions can trigger the flaw by adding content through the CMS interface.

Risk and Exploitability

The CVSS v4.0 score of 7.3 indicates moderate‑to‑high severity. EPSS is not available and the issue is not listed in CISA KEV, so there is no evidence of widespread exploitation yet. Exploitation requires only editor privileges, which are commonly assigned, and can be performed through the standard web interface without further escalation. The impact remains client side, but the ability to hijack sessions or steal credentials can have serious consequences for users of the site.

Generated by OpenCVE AI on May 21, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to a version newer than 9.5.0 that includes the height‑parameter validation fix
  • If an upgrade cannot be made immediately, limit editor permissions to trusted users or temporarily remove the height parameter from user‑submitted forms until a patch is applied
  • As a complementary measure, implement input sanitization for the height field or configure a web‑application firewall rule to block embedded JavaScript

Generated by OpenCVE AI on May 21, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that executes in the context of any visitor's browser, potentially leading to session hijacking, credential theft, or other malicious actions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Alfin Joseph for reporting.
Title Concrete CMS 9.5.0 and below has Stored XSS on the height parameter
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T20:31:56.536Z

Reserved: 2026-05-09T00:02:43.920Z

Link: CVE-2026-8203

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T21:16:33.380

Modified: 2026-05-21T21:16:33.380

Link: CVE-2026-8203

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T23:15:17Z

Weaknesses