Concrete CMS versions 9.5.0 and earlier are affected by a reflected cross‑site scripting vulnerability that occurs when the Legacy Pagination component inserts a raw URL into an href attribute of an <a> tag. A crafted link containing malicious JavaScript can be forged and delivered to any authenticated administrator or report viewer who accesses the /dashboard/reports/forms/legacy page; when the user follows the link, the payload executes within the victim’s session, allowing the attacker to steal credentials, deface content, or perform further actions under the victim’s authority. The vulnerability is a direct result of insufficient output sanitization of the URL parameter.

The affected product is Concrete CMS (Concrete CMS) running any release version 9.5.0 or earlier. The flaw is exploitable by users who have administrative or report‑viewer privileges and can navigate to the legacy reports page /dashboard/reports/forms/legacy. No other vendors or products are listed as affected.

The CVSS score of 6.0 indicates a moderate risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation at the time of this analysis. An attacker would need to craft a malicious link and deliver it to an authenticated user who is inclined to click it, which could be achieved through phishing or compromised credential reuse. While the attack requires user interaction and a valid user session, the impact of successful exploitation could be significant for the affected organization because it executes in the privileges of an administrator or report viewer.