← Back to CVEs
CVE-2026-3241
MEDIUM4.8
Description
In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). This payload is then executed in the browser of any user who views the page containing the form. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting.
CVE Details
CVSS v3.1 Score4.8
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredHIGH
User InteractionREQUIRED
Published3/4/2026
Last Modified3/4/2026
Sourcenvd
Honeypot Sightings0
Affected Products
concretecms:concrete_cms
Weaknesses (CWE)
CWE-79
References
https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes(ff5b8ace-8b95-4078-9743-eac1ca5451de)
https://github.com/concretecms/concretecms/pull/12826(ff5b8ace-8b95-4078-9743-eac1ca5451de)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.