CVE-2026-3240 PUBLISHED

Concrete CMS below 9.4.8 is vulnerable to Stored XSS via Legacy form

Assigner: ConcreteCMS
Reserved: 26.02.2026 Published: 04.03.2026 Updated: 04.03.2026

In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Thanks minhnn42, namdi and quanlna2 from VCSLab-Viettel Cyber Security for reporting.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 4.8

Product Status

Vendor Concrete CMS
Product Concrete CMS
Versions Default: unaffected
  • affected from 5 to 9.4.8 (excl.)

Credits

  • minhnn42, namdi and quanlna2 from VCSLab-Viettel Cyber Security finder

References

Problem Types

  • CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') CWE

Impacts

  • CAPEC-592 Stored XSS