CVE-2026-3241 Concrete CMS below version 9.4.8 is vulnerable to a stored cross-site scripting (XSS) in the "Legacy Form" block.

In Concrete CMS below version 9.4.8, a stored cross-site scripting XSS vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms e.g., a rogue administrator can inject a persistent JavaScript payload into the options of a multiple-choice...