CVE-2026-8353

CVSS Score & Metrics

Base Score

4.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N                                    

Vulnerability Description

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

Vulnerability Details

Published Date

May 22, 2026

Last Modified

May 22, 2026

CWE ID

CWE-79

Source

NVD

Vendor

concretecms

Product

concrete_cms

External References

https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment