2 matches found
CVE-2026-8197
Concrete CMS 9.5.0 and earlier is affected by a Stored XSS via the OAuth integration name. The integration name (admin-controlled) is rendered through the t() translation helper as a sprintf-style format, with the ... wrapper built by PHP string interpolation before t() runs, allowing the integra...
CVE-2026-8197 Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name
Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name. The OAuth authorize template renders the integration name admin-controlled through Concrete's t translation helper as a sprintf-style format. The ... wrap is built by PHP string interpolation before t runs, so th...