Stored XSS Vulnerability in Concrete CMS Prior to Version 9.4.8
CVE-2026-3240

4.8MEDIUM

Key Information:

Vendor: Concrete Cms
Status: Concrete Cms
Vendor: CVE Published:; 4 March 2026

🔔 Create Concrete Cms Vulnerability Alert

What is CVE-2026-3240?

In Concrete CMS versions below 9.4.8, a stored Cross-Site Scripting (XSS) vulnerability exists that allows an attacker with edit permissions on a page using the Legacy form element to inject malicious scripts through the Question field. This vulnerability can potentially be exploited to target high-privilege accounts, leading to unauthorized actions or data exposure. The Concrete CMS security team has addressed this issue and encourages users to update to the latest version to mitigate the risk.

Affected Version(s)

Concrete CMS 5 < 9.4.8

References

https://github.com/concretecms/concretecms/pull/12826

https://documentation.concretecms.org/9-x/developers/intr...

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 4, 2026
Vulnerability Reserved
Feb 26, 2026

Credit

minhnn42, namdi and quanlna2 from VCSLab-Viettel Cyber Security

CVE-2026-3240 Data

JSON