Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
Concrete CMS: Rogue Admins Can Inject Malicious Code in Forms
CVE-2026-3241
GHSA-f4vq-pj32-gr4q
Summary
An attacker with admin access can add malicious code to forms, which will be executed in users' browsers when they view the form. This can lead to data theft, unauthorized actions, or other security risks. Update to version 9.4.8 or later to fix this issue.
What to do
- Update concrete5 concrete5 to version 9.4.8.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| concrete5 | concrete5 | <= 9.4.8 | 9.4.8 |
| concretecms | concrete_cms | <= 9.4.8 | – |
Original title
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability
Original description
In Concrete CMS below version 9.4.8, a Cross-site Scripting (XSS) vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). This payload is then executed in the browser of any user who views the page containing the form.
The Concrete CMS security team thanks M3dium for reporting.
The Concrete CMS security team thanks M3dium for reporting.
nvd CVSS3.1
4.8
nvd CVSS4.0
4.8
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://documentation.concretecms.org/9-x/developers/introduction/version-histor... Release Notes Patch Vendor Advisory
- https://github.com/concretecms/concretecms/pull/12826 Exploit Issue Tracking Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-3241
- https://github.com/advisories/GHSA-f4vq-pj32-gr4q
Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026