Vulnerability Description
Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that executes in the context of any visitor's browser, potentially leading to session hijacking, credential theft, or other malicious actions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Alfin Joseph for reporting.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-8203?
CVE-2026-8203 is a documented vulnerability. Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that executes...
How severe is CVE-2026-8203?
CVSS scoring is not yet available for CVE-2026-8203. Check NVD for updates.
Is there a patch for CVE-2026-8203?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.