Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
Concrete CMS Search Results Can Run Malicious Code
CVE-2026-3244
GHSA-mm5f-5rqw-574f
Summary
If an attacker with admin access in Concrete CMS (older than version 9.4.8) injects malicious code into page names, it can be executed when users search for and view those pages. This could allow the attacker to steal user data or take control of a user's account. Update to the latest version to fix this issue.
What to do
- Update concrete5 concrete5 to version 9.4.8.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| concrete5 | concrete5 | <= 9.4.8 | 9.4.8 |
| concretecms | concrete_cms | <= 9.4.8 | – |
Original title
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability
Original description
In Concrete CMS below version 9.4.8, A stored Cross-site Scripting (XSS) vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page names that executes when users search for and view those pages in search results.
The Concrete CMS security team thanks zolpak for reporting.
The Concrete CMS security team thanks zolpak for reporting.
nvd CVSS3.1
4.8
nvd CVSS4.0
4.8
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://documentation.concretecms.org/9-x/developers/introduction/version-histor... Release Notes Patch Vendor Advisory
- https://github.com/concretecms/concretecms/pull/12826 Exploit Issue Tracking Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-3244
- https://github.com/advisories/GHSA-mm5f-5rqw-574f
Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026