Skip to main content

Concrete CMS CVE-2026-8139

| EUVDEUVD-2026-31380 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-21 ff5b8ace-8b95-4078-9743-eac1ca5451de GHSA-pcrh-gj77-j4mw
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 22:35 vuln.today

DescriptionCVE.org

Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N.  Thanks Yonatan Drori (Tenzai) for reporting.

AnalysisAI

Stored XSS in Concrete CMS 9.5.0 and below allows a high-privileged authenticated attacker to inject malicious scripts via the cvName parameter of external-link pages, exploiting a sanitization bypass in the updateCollectionAliasExternal function. The injected payload is persisted server-side and executes in the browser of any user who subsequently views the affected page within the CMS backend. The vendor-assigned CVSS v4.0 score of 2.0 reflects constrained real-world impact: exploitation requires admin-level credentials, prerequisite attack conditions (AT:P), and passive victim interaction, with no public exploit identified at time of analysis.

Technical ContextAI

Concrete CMS is a PHP-based content management system. The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation - Stored XSS), where user-supplied input is written to persistent storage without adequate sanitization and later rendered in browser contexts. The specific function updateCollectionAliasExternal, which processes the cvName field for external-link page collection aliases, lacks or bypasses the sanitization applied elsewhere in the CMS. Stored XSS differs from reflected XSS in that the payload is not transient - it persists until explicitly removed, increasing the window of exposure. The CVSS v4.0 vector (AV:N/AC:L/AT:P/PR:H/UI:P) indicates the attack is network-delivered with low complexity once access is obtained, but requires prerequisite conditions and passive user interaction to complete the exploit chain.

RemediationAI

Upgrade to Concrete CMS 9.5.1, which is confirmed as the patched release per the vendor's official release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes. If immediate patching is not feasible, restrict CMS administrative panel access to trusted IP addresses or VPN-only networks to reduce the attack surface, noting that this does not remediate the underlying sanitization flaw but substantially limits who can trigger it. Additionally, a WAF rule blocking script injection patterns (e.g., angle brackets, javascript: URIs) in the cvName parameter of external-link page requests can serve as a compensating control, though WAF bypasses are possible and this should not substitute for patching. Audit admin account credentials and enable multi-factor authentication to reduce risk from compromised high-privilege accounts.

CVE-2021-22968 HIGH POC
7.2 Nov 19

A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co

CVE-2021-36766 HIGH POC
7.2 Jul 30

Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl

CVE-2020-24986 HIGH POC
7.2 Sep 04

Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File

CVE-2020-11476 HIGH POC
7.2 Jul 28

Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity

CVE-2018-13790 HIGH POC
7.2 Jul 09

A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-2994 MEDIUM POC
6.8 Mar 04

Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co

CVE-2017-8082 MEDIUM POC
6.5 Apr 24

concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in

CVE-2023-48648 CRITICAL
9.8 Nov 17

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec

CVE-2022-21829 CRITICAL
9.8 Jun 24

Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho

CVE-2021-22958 CRITICAL
9.8 Oct 07

A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad

CVE-2021-40098 CRITICAL
9.8 Sep 27

An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel

Share

CVE-2026-8139 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy