Skip to main content

Concrete CMS CVE-2026-8245

| EUVDEUVD-2026-31357 MEDIUM
Improper Neutralization of Script in Attributes in a Web Page (CWE-83)
2026-05-21 ConcreteCMS GHSA-f73j-pm2c-rxvr
6.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 22:46 vuln.today

DescriptionCVE.org

Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Pagination builds pagination links by raw-interpolating its $URL field into href="" (<a href="{$linkURL}" …>). Any authenticated admin or report viewer with access to /dashboard/reports/forms/legacy who clicks the crafted URL fires the payload in their session. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.0 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting

AnalysisAI

Reflected XSS in Concrete CMS 9.5.0 and below allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in the browser of an authenticated admin or report viewer who clicks a crafted URL targeting the legacy form reports dashboard. The vulnerable component, Concrete\Core\Legacy\Pagination, raw-interpolates a user-controlled URL value directly into an HTML href attribute, enabling attribute injection per CWE-83. With a CVSS 4.0 score of 6.0 and high confidentiality impact (VC:H) on the vulnerable system, successful exploitation can lead to session token theft; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Technical ContextAI

Concrete CMS is a PHP-based open-source content management system. The vulnerable class Concrete\Core\Legacy\Pagination constructs paginated HTML anchor elements for the legacy form reports feature exposed at /dashboard/reports/forms/legacy. The root cause is CWE-83 (Improper Neutralization of Script in Attributes in a Web Page): the $URL field is interpolated directly into an href="" attribute without HTML encoding or URL scheme validation, permitting injection of javascript: URIs or attribute-breaking payloads (e.g., closing the href and injecting an onmouseover handler). The CPE identifier cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:* covers all application-class Concrete CMS installs; the affected version range is confirmed as 5.0 through 9.5.0 per EUVD-2026-31357. The attack vector is network (AV:N) because the payload is delivered via a remotely crafted URL, but AT:P in CVSS 4.0 indicates that attack prerequisites - specifically a victim holding an authenticated session with dashboard access - must be met.

RemediationAI

The primary fix is to upgrade to Concrete CMS 9.5.1, as indicated by the vendor release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes - the exact patched version is inferred as 9.5.1 from the URL slug '951' and should be independently verified against those release notes before deployment. If an immediate upgrade is not feasible, restrict access to the /dashboard/reports/forms/legacy endpoint at the web server or reverse proxy layer (e.g., via IP allowlist or authentication gateway) to the smallest possible set of trusted administrators; this reduces the victim pool but does not remediate the underlying unsanitized interpolation. As an additional precaution, instruct all CMS administrators to avoid clicking unsolicited links to the legacy reports dashboard while holding an active session, and consider enforcing short session timeouts to reduce the window of exposure if a crafted URL is delivered. Note that restricting the endpoint may break legitimate reporting workflows for affected users.

CVE-2021-22968 HIGH POC
7.2 Nov 19

A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co

CVE-2021-36766 HIGH POC
7.2 Jul 30

Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl

CVE-2020-24986 HIGH POC
7.2 Sep 04

Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File

CVE-2020-11476 HIGH POC
7.2 Jul 28

Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity

CVE-2018-13790 HIGH POC
7.2 Jul 09

A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-2994 MEDIUM POC
6.8 Mar 04

Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co

CVE-2017-8082 MEDIUM POC
6.5 Apr 24

concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in

CVE-2023-48648 CRITICAL
9.8 Nov 17

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec

CVE-2022-21829 CRITICAL
9.8 Jun 24

Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho

CVE-2021-22958 CRITICAL
9.8 Oct 07

A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad

CVE-2021-40098 CRITICAL
9.8 Sep 27

An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel

Share

CVE-2026-8245 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy