Vulnerability Description
In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). This payload is then executed in the browser of any user who views the page containing the form. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Concretecms | Concrete Cms | < 9.4.8 |
Related Weaknesses (CWE)
References
- https://documentation.concretecms.org/9-x/developers/introduction/version-historRelease NotesPatchVendor Advisory
- https://github.com/concretecms/concretecms/pull/12826ExploitIssue TrackingVendor Advisory
FAQ
What is CVE-2026-3241?
CVE-2026-3241 is a vulnerability with a CVSS score of 4.8 (MEDIUM). In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms (e.g., a rogue ...
How severe is CVE-2026-3241?
CVE-2026-3241 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-3241?
Check the references section above for vendor advisories and patch information. Affected products include: Concretecms Concrete Cms.