Home / Vulnerability Intelligence / CVE-2026-3241

CVE-2026-3241 - Vulnerability Analysis

MediumCVSS: 4.8

Last Updated: March 4, 2026

Concrete CMS - Stored XSS

Published: March 4, 2026Updated: March 4, 2026PoC AvailableRemote Exploitable

Overview

Concrete CMS < 9.4.8 contains a stored cross-site scripting vulnerability caused by injection of JavaScript payloads in the Legacy Form block options, letting authenticated users with form edit permissions execute scripts in other users' browsers.

Severity & Score

Severity: Medium

CVSS Score: 4.8

Impact

Authenticated users with form edit permissions can inject persistent scripts, leading to script execution in other users' browsers and potential session hijacking or data theft.

Mitigation

Update to version 9.4.8 or later.

References

https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes
https://github.com/concretecms/concretecms/pull/12826

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-3241
Severity: Medium
CVSS Score: 4.8
Type: stored_xss
Status: confirmed

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N