Stored XSS Vulnerability in Concrete CMS Affected by Rogue Editor Actions
CVE-2026-8353

2.1LOW

Key Information:

Vendor: Concrete Cms
Status: Concrete Cms
Vendor: CVE Published:; 22 May 2026

🔔 Create Concrete Cms Vulnerability Alert

What is CVE-2026-8353?

Concrete CMS, versions 9.0 to 9.5.0, is exposed to a Stored Cross-Site Scripting (XSS) vulnerability through the Atomik theme, allowing a rogue editor to inject malicious JavaScript into page names. This vulnerability enables the execution of arbitrary scripts in the context of any authenticated user visiting affected account pages. As a result, this could facilitate session hijacking, lead to credential theft, and enable malicious actions performed in the name of unsuspecting users, potentially leading to privilege escalation. Proper validation and sanitization of user inputs are essential to mitigate this risk.

Affected Version(s)

Concrete CMS 9.0 <= 9.5.0

References

https://documentation.concretecms.org/9-x/developers/intr...

release-notes

CVSS V4

Score:

2.1

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2026
Vulnerability Reserved
May 11, 2026

Credit

Yonatan Drori (Tenzai)

CVE-2026-8353 Data

JSON