Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored...

2.1 / 10

LOW

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Description

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

Basic Information

ID CVE-2026-8353

Source ConcreteCMS

Published May 22, 2026 at 14:18

Affected Product

Vendor Concrete CMS

Product Concrete CMS

Version 9.0

Affected Versions Concrete CMS Concrete CMS 9.0

CWE Classification

CWE-79

References

documentation.concretecms.org /9-x/developers/introduction/version-history/951-release-notes

{
    "lastseen": "",
    "description": "Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor\u00a0can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation.\u00a0The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of\u00a02.1 with vector\u00a0CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks\u00a0Yonatan Drori (Tenzai) for reporting.",
    "published": "2026-05-22T14:18:06.991Z",
    "modified": "2026-05-22T14:18:06.991Z",
    "type": "cve",
    "title": "Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in atomik theme",
    "source": "ConcreteCMS",
    "references": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes",
    "id": "CVE-2026-8353",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "Concrete CMS Concrete CMS 9.0",
    "sourceHref": "",
    "cvss": {
        "score": 2.1,
        "severity": "LOW",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Concrete CMS",
    "version": "9.0",
    "vendor": "Concrete CMS",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in atomik theme_CVE-2026-8353