CVE-2026-3241
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability
4.8
MEDIUM
CVSS 3.1
EPSS 0.01%
Description
In Concrete CMS below version 9.4.8, a Cross-site Scripting (XSS) vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). This payload is then executed in the browser of any user who views the page containing the form. The Concrete CMS security team thanks M3dium for reporting.
How to fix CVE-2026-3241
To remediate CVE-2026-3241, upgrade the affected package to a fixed version below.
- —upgrade to 9.4.8 or later
Is CVE-2026-3241 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 9.4.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM4.8 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |