CVE-2026-2994

Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via groupid parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave this vulnerabilit...

CVE-2026-3244

In Concrete CMS below version 9.4.8, A stored cross-site scripting XSS vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page nam...

CVE-2026-3244 Concrete CMS below version 9.4.8 is vulnerable to Stored XSS in Search Results via Page Names

In Concrete CMS below version 9.4.8, A stored cross-site scripting XSS vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page nam...

CVE-2026-3244

Concrete CMS versions below 9.4.8 are affected by a stored XSS in the search block, where page names and content render without HTML encoding, enabling an authenticated rogue administrator to inject JavaScript that runs when users run and view search results. The issue is documented with CVSS v4....