CVE-2026-3241

MEDIUM4.8EPSS 0.01%

Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability

Published: 3/4/2026Modified: 3/4/2026

Description

In Concrete CMS below version 9.4.8, a Cross-site Scripting (XSS) vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). This payload is then executed in the browser of any user who views the page containing the form. The Concrete CMS security team thanks M3dium for reporting.

Affected packages (1)

Packagist/concrete5/concrete5from 0, < 9.4.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM4.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-3241
PATCHhttps://github.com/concretecms/concretecms
WEBhttps://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes
WEBhttps://github.com/concretecms/concretecms/pull/12826