CVE-2025-8571 — Concrete CMS vulnerable to Reflected Cross-Site Scripting (XSS) in Conversation

Description

Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions.

How to fix CVE-2025-8571

To remediate CVE-2025-8571, upgrade the affected package to a fixed version below.

Packagist/concrete5/concrete5—upgrade to 8.5.21 or later

Is CVE-2025-8571 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 8.5.21

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-8571
PATCHgithub.com/concretecms/concretecms
WEBdocumentation.concretecms.org/9-x/developers/introduction/version-history/943-release-notes
WEBdocumentation.concretecms.org/developers/introduction/version-history/8521-release-notes