Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that executes in the context of any visitor's browser, potentially leading to session hijacking, credential theft, or other malicious actions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Alfin Joseph for reporting.
AnalysisAI
Stored cross-site scripting in Concrete CMS 9.5.0 and earlier allows authenticated editors to inject persistent JavaScript via the unvalidated 'height' parameter, executing in any subsequent visitor's browser. The CVSS 4.0 score of 7.3 reflects high privilege requirements (editor role) combined with high impact, and no public exploit identified at time of analysis.
Technical ContextAI
Concrete CMS is an open-source PHP content management system. The vulnerability is a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) issue in which a controller accepts a $height parameter but fails to perform validation or output encoding before rendering it back into a page template. Because the unsanitized value is stored server-side and re-served to other users, this is a persistent (Type 2) XSS rather than a reflected variant - meaning the payload survives the original request and triggers on subsequent page loads by other users including site administrators.
RemediationAI
Upgrade Concrete CMS to version 9.5.1 or later, which addresses the unsanitized height parameter per the vendor release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes. If immediate upgrade is not possible, compensating controls include restricting editor-role assignments to fully trusted users only (side effect: reduces content contribution flexibility), implementing a strict Content Security Policy that disallows inline scripts on rendered pages (side effect: may break legitimate inline JS in custom themes/blocks and require refactoring), and monitoring audit logs for unexpected modifications to block/page properties carrying the height attribute. Forcing administrators to use a separate browser profile or session when reviewing editor-submitted content reduces the blast radius of a successful XSS firing against an admin.
More in Concrete Cms
View allA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co
Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad
An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31341
GHSA-9v2g-37mp-qpxf