CVE-2026-3244 - Vulnerability Analysis
MediumCVSS: 4.8Last Updated: March 4, 2026
Concrete CMS - Stored XSS
Published: March 4, 2026Updated: March 4, 2026PoC AvailableRemote Exploitable
Overview
Concrete CMS < 9.4.8 contains a stored cross-site scripting vulnerability caused by improper HTML encoding of page names and content in the search block, letting authenticated rogue administrators inject malicious JavaScript, exploit requires authenticated admin privileges.
Severity & Score
Severity: Medium
CVSS Score: 4.8
Impact
Authenticated rogue administrators can inject malicious JavaScript that executes when users view search results, potentially leading to user session compromise or actions on behalf of users.
Mitigation
Update to version 9.4.8 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-3244
- Severity
- Medium
- CVSS Score
- 4.8
- Type
- stored_xss
- Status
- confirmed
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N