Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
Concrete CMS: Malicious Code Can Run in Administrator's Browser
CVE-2026-3242
GHSA-w9qg-chfh-g3q9
Summary
Concrete CMS versions below 9.4.8 are vulnerable to a security risk where an attacker with administrator privileges can embed malicious code in the site, allowing them to potentially take control of the administrator's browser. This can lead to unauthorized actions. To protect your site, update to at least version 9.4.8.
What to do
- Update concrete5 concrete5 to version 9.4.8.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| concrete5 | concrete5 | <= 9.4.8 | 9.4.8 |
| concretecms | concrete_cms | <= 9.4.8 | – |
Original title
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability
Original description
In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block.
The Concrete CMS security team gave thanks M3dium for reporting.
The Concrete CMS security team gave thanks M3dium for reporting.
nvd CVSS3.1
4.8
nvd CVSS4.0
4.8
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://documentation.concretecms.org/9-x/developers/introduction/version-histor... Release Notes Patch Vendor Advisory
- https://github.com/concretecms/concretecms/pull/12826 Exploit Issue Tracking Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-3242
- https://github.com/advisories/GHSA-w9qg-chfh-g3q9
Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026