Lucene search
K

16 matches found

RedhatCVE
RedhatCVE
added 2026/03/05 7:51 a.m.4 views

CVE-2026-3242

In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting...

4.8CVSS5.9AI score0.00199EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/03/05 7:51 a.m.7 views

CVE-2026-3241

In Concrete CMS below version 9.4.8, a stored cross-site scripting XSS vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms e.g., a rogue administrator can inject a persistent JavaScript payload into the options of a multiple-choice...

4.8CVSS5.8AI score0.00208EPSS
Exploits1References1
Snyk
Snyk
added 2026/03/04 6:27 a.m.4 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the groupid parameter in the Anti-Spam Allowlist Group configuration. An attacker can perform unauthorized actions by tricking a logged-in administrator into submitting a crafted request, resulting in...

6.8CVSS5.8AI score0.00208EPSS
Exploits1References2
OSV
OSV
added 2026/03/04 3:31 a.m.12 views

GHSA-45FJ-FVMM-XCC5 Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability

In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field. The Concrete CMS security team thanks minhnn42, namdi and quanlna2 from VCSLab-Viettel Cyber Security for...

4.8CVSS5.9AI score0.00212EPSS
Exploits1References4
EUVD
EUVD
added 2026/03/04 3:31 a.m.6 views

EUVD-2026-9359

In Concrete CMS below version 9.4.8, a stored cross-site scripting XSS vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms e.g., a rogue administrator can inject a persistent JavaScript payload into the options of a multiple-choice...

4.8CVSS5.8AI score0.00208EPSS
Exploits1References3
NVD
NVD
added 2026/03/04 3:16 a.m.8 views

CVE-2026-3242

In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting...

4.8CVSS0.00199EPSS
Exploits1References2
CVE
CVE
added 2026/03/04 2:18 a.m.17 views

CVE-2026-2994

Concrete CMS versions prior to 9.4.8 are vulnerable to CSRF via the Anti-Spam Allowlist Group Configuration (group_id parameter). The root cause is that changes are saved before CSRF token validation, enabling a Rogue Administrator to bypass CSRF protections. Affected software: Concrete CMS

6.8CVSS5.9AI score0.00208EPSS
Exploits1References2Affected Software1
NVD
NVD
added 2026/03/04 2:15 a.m.9 views

CVE-2026-3244

In Concrete CMS below version 9.4.8, A stored cross-site scripting XSS vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page nam...

4.8CVSS0.00195EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/04 2:15 a.m.6 views

CVE-2026-3240

In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with...

4.8CVSS5.9AI score0.00212EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/03/04 2:15 a.m.4 views

CVE-2026-3240 Concrete CMS below 9.4.8 is vulnerable to Stored XSS via Legacy form

In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with...

4.8CVSS5.9AI score0.00212EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/03/04 1:55 a.m.41 views

CVE-2026-3244 Concrete CMS below version 9.4.8 is vulnerable to Stored XSS in Search Results via Page Names

In Concrete CMS below version 9.4.8, A stored cross-site scripting XSS vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page nam...

4.8CVSS0.00195EPSS
Exploits1References2
OSV
OSV
added 2026/03/04 1:49 a.m.5 views

CVE-2026-3452 Concrete CMS below 9.4.8 is vulnerable to stored deserialization leading to RCE in the Express Entry List block.

Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to...

8.9CVSS6AI score0.00605EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/03/04 12:0 a.m.11 views

Concrete CMS 安全漏洞

Concrete CMS is an open-source content management system designed for teams. Versions of Concrete CMS prior to 9.4.8 contained a security vulnerability. This vulnerability stemmed from PHP object injection in the columns parameter within the Express Entry List block, which could lead to remote co...

8.9CVSS6.1AI score0.00605EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/04 12:0 a.m.10 views

PT-2026-22864

Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave this vulnerabili...

2.3CVSS5.9AI score0.00208EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/03/04 12:0 a.m.12 views

PT-2026-22866

In Concrete CMS below version 9.4.8, a stored cross-site scripting XSS vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms e.g., a rogue administrator can inject a persistent JavaScript payload into the options of a multiple-choice...

4.8CVSS5.8AI score0.00208EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/03/04 12:0 a.m.7 views

Concrete CMS 安全漏洞

Concrete CMS is an open-source content management system developed by Concrete CMS. Versions of Concrete CMS prior to 9.4.8 contained a security vulnerability. This vulnerability stemmed from improper HTML encoding during the rendering of page names and content in the search block, which could le...

4.8CVSS5.7AI score0.00195EPSS
Exploits1References2
Rows per page
Query Builder