Lucene search
K

43750 matches found

Cvelist
Cvelist
added 2026/03/04 2:0 a.m.28 views

CVE-2026-3242 Concrete CMS below 9.4.8 is vulnerable to Stored XSS in the Switch Language block

In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting...

4.8CVSS0.00199EPSS
Exploits1References2
CVE
CVE
added 2026/03/04 1:55 a.m.15 views

CVE-2026-3244

Concrete CMS versions below 9.4.8 are affected by a stored XSS in the search block, where page names and content render without HTML encoding, enabling an authenticated rogue administrator to inject JavaScript that runs when users run and view search results. The issue is documented with CVSS v4....

4.8CVSS5.8AI score0.00195EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/03/04 1:55 a.m.36 views

CVE-2026-3244 Concrete CMS below version 9.4.8 is vulnerable to Stored XSS in Search Results via Page Names

In Concrete CMS below version 9.4.8, A stored cross-site scripting XSS vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page nam...

4.8CVSS0.00195EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/03/04 1:55 a.m.4 views

CVE-2026-3244 Concrete CMS below version 9.4.8 is vulnerable to Stored XSS in Search Results via Page Names

In Concrete CMS below version 9.4.8, A stored cross-site scripting XSS vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page nam...

4.8CVSS5.8AI score0.00195EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/04 1:55 a.m.1 views

CVE-2026-3244

In Concrete CMS below version 9.4.8, A stored cross-site scripting XSS vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page nam...

4.8CVSS5.8AI score0.00195EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/04 1:49 a.m.3 views

CVE-2026-3452 Concrete CMS below 9.4.8 is vulnerable to stored deserialization leading to RCE in the Express Entry List block.

Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to...

8.9CVSS6AI score0.00605EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/04 1:49 a.m.6 views

CVE-2026-3452

Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to...

8.9CVSS6AI score0.00605EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/03/04 1:49 a.m.30 views

CVE-2026-3452 Concrete CMS below 9.4.8 is vulnerable to stored deserialization leading to RCE in the Express Entry List block.

Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to...

8.9CVSS0.00605EPSS
Exploits0References2
CVE
CVE
added 2026/03/04 1:49 a.m.13 views

CVE-2026-3452

Concrete CMS versions below 9.4.8 are vulnerable to Remote Code Execution via stored PHP object injection in the Express Entry List block, using the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed ...

8.9CVSS6AI score0.00605EPSS
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2026/03/04 12:0 a.m.9 views

Craft CMS 安全漏洞

Craft CMS is an open-source content management system developed by Craft CMS. Versions prior to Craft CMS 5.9.0-beta.2 and 4.17.0-beta.2 contained security vulnerabilities. These vulnerabilities stemmed from the actionSendActivationEmail endpoint, which was exposed to unverified users and lacked...

6.9CVSS5.8AI score0.00273EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/03/04 12:0 a.m.7 views

PT-2026-22865

In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with...

4.8CVSS5.9AI score0.00212EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/03/04 12:0 a.m.8 views

Craft CMS 安全漏洞

Craft CMS is an open-source content management system developed by Craft CMS. Versions prior to 5.8.22 and 4.16.18 of Craft CMS had security vulnerabilities. These vulnerabilities stemmed from the use of the Twig map filter in text fields, which could allow the construction of malicious payloads,...

8.6CVSS6.2AI score0.00514EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/03/04 12:0 a.m.7 views

Concrete CMS 安全漏洞

Concrete CMS is an open-source content management system designed for teams. Versions of Concrete CMS prior to 9.4.8 contained a security vulnerability. This vulnerability stemmed from cross-site request forgery involving the groupid parameter in the Anti-Spam Allowlist Group Configuration, which...

6.8CVSS5.7AI score0.00208EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/03/04 12:0 a.m.9 views

PT-2026-22867

In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting...

4.8CVSS5.9AI score0.00199EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/03/04 12:0 a.m.9 views

PT-2026-22864

Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave this vulnerabili...

2.3CVSS5.9AI score0.00208EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/03/04 12:0 a.m.7 views

Concrete CMS 安全漏洞

Concrete CMS is an open-source content management system designed for teams. Versions of Concrete CMS prior to 9.4.8 contained a security vulnerability. This vulnerability stemmed from a stored-cross-site scripting vulnerability in the Switch Language block, which could allow malicious...

4.8CVSS5.8AI score0.00199EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/03/04 12:0 a.m.7 views

Craft CMS 安全漏洞

Craft CMS is an open-source content management system developed by Craft CMS. Version 5.8.21 of Craft CMS contains a security vulnerability. This vulnerability stems from server-side template injection via the create Twig function, combined with the Symfony Process toolchain, potentially allowing...

7.5CVSS6.1AI score0.00556EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/03/04 12:0 a.m.6 views

Craft CMS 安全漏洞

Craft CMS is an open-source content management system developed by Craft CMS. Versions prior to Craft CMS 5.9.0-beta.1 and 4.17.0-beta.1 contained security vulnerabilities. These vulnerabilities stemmed from incomplete permission lists, which could allow attackers with specific privileges to...

9.4CVSS5.9AI score0.00464EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/03/04 12:0 a.m.8 views

Concrete CMS 安全漏洞

Concrete CMS is an open-source content management system developed by Concrete CMS. Versions of Concrete CMS prior to 9.4.8 contained a security vulnerability. This vulnerability stemmed from a stored cross-site scripting vulnerability in the Question field of the Legacy form element, which could...

4.8CVSS5.7AI score0.00212EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/03/04 12:0 a.m.9 views

Craft CMS 安全漏洞

Craft CMS is an open-source content management system developed by Craft CMS. Versions prior to Craft CMS 5.9.0-beta.1 and 4.17.0-beta.1 contained security vulnerabilities. These vulnerabilities stemmed from a lack of permission verification during repeated entry operations, which could allow...

5.3CVSS5.8AI score0.00234EPSS
Exploits1References3
Rows per page
Query Builder