✅ Check your installed version
All known vulnerabilities
CRITICAL9.8CVE-2022-50807Concrete5 CMS contains an XPath injection vulnerability CRITICAL9.8CVE-2023-28473Concrete CMS (previously concrete5) is vulnerable to possible auth bypass in the jobs section from 0, < 9.2.0
HIGH8.8CVE-2022-43693Concrete CMS vulnerable to Cross-site Request Forgery from 0, < 8.5.10
HIGH8.2CVE-2021-22958Server-Side Request Forgery vulnerability in concrete5 from 0, < 8.5.5
from 0, < 8.5.3
MEDIUM6.5CVE-2026-30662ConcreteCMS is vulnerable to Denial of Service During Bulk Downloads from 0, <= 9.4.7
MEDIUM6.5CVE-2022-43686Concrete CMS vulnerable to Uncontrolled Resource Consumption leading to DoS from 0, < 8.5.10
MEDIUM6.3CVE-2022-43690Concrete CMS vulnerable to Improper Authentication from 0, < 8.5.10
from 0, < 9.2.0
MEDIUM6.1CVE-2022-43694Concrete CMS vulnerable to Reflected Cross-site Scripting via image manipulation library from 0, < 8.5.10
MEDIUM6.1CVE-2022-43692Concrete CMS vulnerable to Reflected Cross-site Scripting from 0, < 8.5.10
MEDIUM6.1CVE-2022-43967Concrete CMS vulnerable to Cross-site Scripting via multilingual report from 0, < 8.5.10
MEDIUM6.1CVE-2022-43968Concrete CMS vulnerable to Reflected Cross-Site Scripting via dashboard icons from 0, < 8.5.10
MEDIUM6.1CVE-2017-7725Concrete CMS vulnerable to cross-site scripting (XSS) from 0, <= 8.1.0
from 0, < 9.2.0
>= 9.0.0, < 9.3.4
MEDIUM5.4CVE-2023-44760Concrete CMS Cross-site Scripting vulnerability from 0, <= 9.2.1
MEDIUM5.4CVE-2023-44763ConcreteCMS vulnerable to Stored Cross-site Scripting from 0, <= 9.2.1
from 0, <= 9.2.1
from 0, <= 9.2.1
from 0, < 9.2.2
from 0, < 9.2.2
from 0, <= 9.2.1
from 0, < 9.2.0
from 0, < 9.2.0
from 0, < 9.2.0
from 0, < 8.5.10
MEDIUM5.4CVE-2021-28145Concrete CMS Cross-site Scripting via Survey Blocks from 0, < 8.5.5
from 0, < 9.1.0
from 0, < 9.2.0
MEDIUM5.3CVE-2022-43691Concrete CMS vulnerable to Cleartext Transmission of Sensitive Information from 0, < 8.5.10
from 0, < 8.5.10
from 0, < 8.5.3
MEDIUM4.8CVE-2026-3242Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability from 0, < 9.4.8
MEDIUM4.8CVE-2026-3241Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability from 0, < 9.4.8
>= 9.0.0, < 9.3.4
MEDIUM4.8CVE-2024-8660Concrete CMS stored XSS vulnerability in the "Top Navigator Bar" block >= 9.0.0, < 9.3.3
from 0, < 8.5.14
MEDIUM4.8CVE-2022-43695Concrete CMS Cross-site Scripting vulnerability from 0, < 8.5.10
MEDIUM4.8CVE-2022-43688Concrete CMS vulnerable to Cross-site Scripting from 0, < 8.5.10
MEDIUM4.3CVE-2023-48653Concrete CMS Cross Site Request Forgery (CSRF) vulnerability from 0, < 8.5.14
MEDIUM4.3CVE-2023-48651Concrete CMS Cross Site Request Forgery (CSRF) vulnerability >= 9.0.0, < 9.2.3
from 0, < 9.2.3
MEDIUM4.2CVE-2022-43556Concrete CMS vulnerable to cross-site scripting in the text input field from 0, < 8.5.10
LOW3.5CVE-2025-2967ConcreteCMS Cross-Site Scripting (XSS) via HTML Block Text Field from 0, <= 9.3.9
from 0, < 8.5.13
LOW3.5CVE-2023-28819Concrete CMS (previously concrete5) is vulnerable to stored XSS in uploaded file and folder names from 0, < 9.1.0
LOW3.1CVE-2024-4353Concrete CMS vulnerable to Stored Cross-site Scripting >= 9.0.0, <= 9.3.2
LOW3.1CVE-2024-3179Concrete CMS Stored XSS in the Custom Class page editing >= 9.0.0RC1, < 9.2.8
>= 9.0.0RC1, < 9.2.8
LOW3.1CVE-2024-3178Concrete CMS Cross-site Scripting (XSS) in the Advanced File Search Filter >= 9.0.0RC1, < 9.2.8
LOW3.1CVE-2024-3180Concrete CMS Stored XSS in blocks of type file >= 9.0.0RC1, < 9.2.8
LOW3.0CVE-2024-4350Concrete CMS Stored Cross-site Scripting vulnerability from 0, < 8.5.18
LOW2.4CVE-2024-8661Concrete CMS Stored XSS in the "Next&Previous Nav" block from 0, < 8.5.19
>= 9.0.0, < 9.2.3
LOW2.4CVE-2024-1245Concrete CMS vulnerable to stored XSS in file tags and description attributes >= 9.0.0RC1, < 9.2.5
LOW2.2CVE-2024-2179Concrete CMS Stored Cross-site Scripting vulnerability from 0, < 9.2.7
LOW2.0CVE-2024-7512Concrete CMS vulnerable to Stored Cross-site Scripting >= 9.0.0RC1, < 9.3.3
LOW2.0CVE-2024-7394Concrete CMS Stored XSS in getAttributeSetName from 0, < 8.5.18
LOW2.0CVE-2024-2753Concrete CMS Stored XSS on the calendar color settings screen >= 9.0.0RC1, < 9.2.8
LOW2.0CVE-2024-1246Concrete CMS vulnerable to reflected XSS via the Image URL Import Feature >= 9.0.0RC1, < 9.2.5
LOW2.0CVE-2024-1247Concrete CMS vulnerable to stored XSS via the Role Name field >= 9.0.0RC1, < 9.2.5
from 0, < 9.1.0
—CVE-2026-2994Concrete CMS vulnerable to Cross-Site Request Forgery (CSRF) from 0, < 9.4.8
—CVE-2026-3244Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability from 0, < 9.4.8
—CVE-2026-3240Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability from 0, < 9.4.8
—CVE-2026-3452Concrete CMS vulnerable to Remote Code Execution by stored PHP object injection from 0, < 9.4.8
—CVE-2025-8573Concrete CMS is vulnerable to Stored XSS from Home Folder on Members Dashboard page >= 9.0.0RC1, < 9.4.3
—CVE-2025-8571Concrete CMS vulnerable to Reflected Cross-Site Scripting (XSS) in Conversation Messages Dashboard Page from 0, < 8.5.21
—CVE-2025-3153Concrete CMS Vulnerable to Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) >= 9.0.0, < 9.4.0RC2
—CVE-2025-0660Concrete CMS affected by a stored XSS in Folder Function.The "Add Folder" functionality from 0, < 9.4.0RC1
—CVE-2023-48648Concrete CMS allows unauthorized access because directories can be created with insecure permissions from 0, < 8.5.13
from 0, < 5.7.4
>= 5.5.1, < 5.6.1
from 0, < 9.0.0