Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
AnalysisAI
Stored XSS in Concrete CMS 9.5.0 and below allows a high-privileged authenticated attacker to inject malicious scripts via the cvName parameter of external-link pages, exploiting a sanitization bypass in the updateCollectionAliasExternal function. The injected payload is persisted server-side and executes in the browser of any user who subsequently views the affected page within the CMS backend. The vendor-assigned CVSS v4.0 score of 2.0 reflects constrained real-world impact: exploitation requires admin-level credentials, prerequisite attack conditions (AT:P), and passive victim interaction, with no public exploit identified at time of analysis.
Technical ContextAI
Concrete CMS is a PHP-based content management system. The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation - Stored XSS), where user-supplied input is written to persistent storage without adequate sanitization and later rendered in browser contexts. The specific function updateCollectionAliasExternal, which processes the cvName field for external-link page collection aliases, lacks or bypasses the sanitization applied elsewhere in the CMS. Stored XSS differs from reflected XSS in that the payload is not transient - it persists until explicitly removed, increasing the window of exposure. The CVSS v4.0 vector (AV:N/AC:L/AT:P/PR:H/UI:P) indicates the attack is network-delivered with low complexity once access is obtained, but requires prerequisite conditions and passive user interaction to complete the exploit chain.
RemediationAI
Upgrade to Concrete CMS 9.5.1, which is confirmed as the patched release per the vendor's official release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes. If immediate patching is not feasible, restrict CMS administrative panel access to trusted IP addresses or VPN-only networks to reduce the attack surface, noting that this does not remediate the underlying sanitization flaw but substantially limits who can trigger it. Additionally, a WAF rule blocking script injection patterns (e.g., angle brackets, javascript: URIs) in the cvName parameter of external-link page requests can serve as a compensating control, though WAF bypasses are possible and this should not substitute for patching. Audit admin account credentials and enable multi-factor authentication to reduce risk from compromised high-privilege accounts.
More in Concrete Cms
View allA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co
Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad
An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31380
GHSA-pcrh-gj77-j4mw