CVE-2026-3244

EPSS 0.01%

Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability

Published: 3/4/2026Modified: 3/4/2026

Description

In Concrete CMS below version 9.4.8, A stored Cross-site Scripting (XSS) vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page names that executes when users search for and view those pages in search results. The Concrete CMS security team thanks zolpak for reporting.

Affected packages (1)

Packagist/concrete5/concrete5from 0, < 9.4.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-3244
PATCHhttps://github.com/concretecms/concretecms
WEBhttps://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes
WEBhttps://github.com/concretecms/concretecms/pull/12826