Description
Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Published: 2026-05-22
Score: 2.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS version 9.0 to 9.5.0 contains a stored cross‑site scripting flaw in the Atomik theme page name field. A rogue editor can embed malicious JavaScript that runs in the browser context of any authenticated visitor to the affected account pages. This can lead to session hijacking, credential theft, hijacked account actions, and potentially privilege escalation within the site.

Affected Systems

The vulnerability affects Concrete CMS, all releases from 9.0 through 9.5.0 that use the Atomik theme. Users running these versions are at risk when editors can alter page names. The issue is limited to pages rendered with the Atomik theme.

Risk and Exploitability

The CVSS score is 2.1, indicating low overall severity. The EPSS score is not available and the vulnerability is not listed in CISA KEV. Exploitation requires that an attacker has editor or higher privileges and can modify a page name. Because the attack vector is internal and limited to privileged users, the likelihood of exploitation is low. The flaw does not allow remote code execution or affect unauthenticated users, so the attack surface is constrained.

Generated by OpenCVE AI on May 22, 2026 at 15:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to version 9.5.1 or later where the Atomik theme flaw is fixed.
  • Disable or remove the Atomik theme from sites until a patched version is available.
  • Review and enforce strict input validation on all page name fields to prevent injection of scripts.
  • Monitor site activity for evidence of stored XSS exploitation.

Generated by OpenCVE AI on May 22, 2026 at 15:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Fri, 22 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Title Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in atomik theme
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-22T17:08:17.411Z

Reserved: 2026-05-11T17:02:39.581Z

Link: CVE-2026-8353

cve-icon Vulnrichment

Updated: 2026-05-22T17:08:06.722Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T16:00:13Z

Weaknesses