43750 matches found
CVE-2026-3242 Concrete CMS below 9.4.8 is vulnerable to Stored XSS in the Switch Language block
In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting...
CVE-2026-3244
Concrete CMS versions below 9.4.8 are affected by a stored XSS in the search block, where page names and content render without HTML encoding, enabling an authenticated rogue administrator to inject JavaScript that runs when users run and view search results. The issue is documented with CVSS v4....
CVE-2026-3244 Concrete CMS below version 9.4.8 is vulnerable to Stored XSS in Search Results via Page Names
In Concrete CMS below version 9.4.8, A stored cross-site scripting XSS vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page nam...
CVE-2026-3244 Concrete CMS below version 9.4.8 is vulnerable to Stored XSS in Search Results via Page Names
In Concrete CMS below version 9.4.8, A stored cross-site scripting XSS vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page nam...
CVE-2026-3244
In Concrete CMS below version 9.4.8, A stored cross-site scripting XSS vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page nam...
CVE-2026-3452 Concrete CMS below 9.4.8 is vulnerable to stored deserialization leading to RCE in the Express Entry List block.
Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to...
CVE-2026-3452
Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to...
CVE-2026-3452 Concrete CMS below 9.4.8 is vulnerable to stored deserialization leading to RCE in the Express Entry List block.
Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to...
CVE-2026-3452
Concrete CMS versions below 9.4.8 are vulnerable to Remote Code Execution via stored PHP object injection in the Express Entry List block, using the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed ...
Craft CMS 安全漏洞
Craft CMS is an open-source content management system developed by Craft CMS. Versions prior to Craft CMS 5.9.0-beta.2 and 4.17.0-beta.2 contained security vulnerabilities. These vulnerabilities stemmed from the actionSendActivationEmail endpoint, which was exposed to unverified users and lacked...
PT-2026-22865
In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with...
Craft CMS 安全漏洞
Craft CMS is an open-source content management system developed by Craft CMS. Versions prior to 5.8.22 and 4.16.18 of Craft CMS had security vulnerabilities. These vulnerabilities stemmed from the use of the Twig map filter in text fields, which could allow the construction of malicious payloads,...
Concrete CMS 安全漏洞
Concrete CMS is an open-source content management system designed for teams. Versions of Concrete CMS prior to 9.4.8 contained a security vulnerability. This vulnerability stemmed from cross-site request forgery involving the groupid parameter in the Anti-Spam Allowlist Group Configuration, which...
PT-2026-22867
In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting...
PT-2026-22864
Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave this vulnerabili...
Concrete CMS 安全漏洞
Concrete CMS is an open-source content management system designed for teams. Versions of Concrete CMS prior to 9.4.8 contained a security vulnerability. This vulnerability stemmed from a stored-cross-site scripting vulnerability in the Switch Language block, which could allow malicious...
Craft CMS 安全漏洞
Craft CMS is an open-source content management system developed by Craft CMS. Version 5.8.21 of Craft CMS contains a security vulnerability. This vulnerability stems from server-side template injection via the create Twig function, combined with the Symfony Process toolchain, potentially allowing...
Craft CMS 安全漏洞
Craft CMS is an open-source content management system developed by Craft CMS. Versions prior to Craft CMS 5.9.0-beta.1 and 4.17.0-beta.1 contained security vulnerabilities. These vulnerabilities stemmed from incomplete permission lists, which could allow attackers with specific privileges to...
Concrete CMS 安全漏洞
Concrete CMS is an open-source content management system developed by Concrete CMS. Versions of Concrete CMS prior to 9.4.8 contained a security vulnerability. This vulnerability stemmed from a stored cross-site scripting vulnerability in the Question field of the Legacy form element, which could...
Craft CMS 安全漏洞
Craft CMS is an open-source content management system developed by Craft CMS. Versions prior to Craft CMS 5.9.0-beta.1 and 4.17.0-beta.1 contained security vulnerabilities. These vulnerabilities stemmed from a lack of permission verification during repeated entry operations, which could allow...