CVE-2025-8573 — Concrete CMS is vulnerable to Stored XSS from Home Folder on Members Dashboard p

Description

Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page. Version 8 was not affected. A rogue admin could set up a malicious folder containing XSS to which users could be directed upon login.

How to fix CVE-2025-8573

To remediate CVE-2025-8573, upgrade the affected package to a fixed version below.

Packagist/concrete5/concrete5—upgrade to 9.4.3 or later

Is CVE-2025-8573 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 9.0.0RC1, < 9.4.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-8573
PATCHgithub.com/concretecms/concretecms
WEBdocumentation.concretecms.org/9-x/developers/introduction/version-history/943-release-notes
WEBgithub.com/concretecms/concretecms/commit/f7630b467d3a234d3d333ca117046a500e7ee2b6