Stored XSS Vulnerability in Concrete CMS by Concrete5
CVE-2026-8139

2LOW

Key Information:

Vendor: Concrete Cms
Status: Concrete Cms
Vendor: CVE Published:; 21 May 2026

🔔 Create Concrete Cms Vulnerability Alert

What is CVE-2026-8139?

Concrete CMS versions 9.5.0 and earlier are susceptible to a stored cross-site scripting (XSS) vulnerability through the external-link page 'cvName'. The flaw arises when the updateCollectionAliasExternal function fails to properly sanitize user input. This oversight allows malicious scripts to be stored and executed in the context of other users' sessions, potentially compromising user data and the overall integrity of the application. Users are urged to upgrade to a later version to mitigate this security risk.

Affected Version(s)

Concrete CMS 5.0 <= 9.5.0

References

https://documentation.concretecms.org/9-x/developers/intr...

release-notes

CVSS V4

Score:

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 21, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-8139 Data

JSON