Concrete CMS below 9.4.8 is vulnerable to Stored XSS via Legacy form

Vulnerability

Overview

CVE-2026-3240 is a stored cross-site scripting (XSS) vulnerability found in Concrete CMS versions prior to 9.4.8. The flaw resides in the Legacy Form block, specifically within the Question field. A user who has permission to edit a page containing this block can inject arbitrary JavaScript or HTML into the Question field, which is then stored and later rendered without proper sanitization [1][2].

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must have a Concrete CMS account with at least page editing privileges and access to a page that uses the Legacy Form block. The attack is performed by submitting a crafted payload in the Question field. When a high-privilege user (such as an administrator) views the affected page, the stored script executes in their browser session. The CVSS v4.0 score is 4.8, with a vector of AV:N/AC:L/AC:L/AT:N/PR:H/UI:P, indicating that while the attacker requires high privileges, the attack complexity is low and no special attack prerequisites are needed beyond network access [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to actions such as stealing session cookies, performing administrative actions on behalf of the victim, or defacing the page. The impact is limited to integrity (VI:L) and does not affect confidentiality or availability directly, but the stored XSS can be used as a stepping stone for further attacks [1].

Mitigation

The vulnerability is fixed in Concrete CMS version 9 only and is fixed in version 9.4.8. Users should upgrade to this version or later to remediate the issue. No workarounds are mentioned in the advisory. The issue was reported by researchers from VCSLab-Viettel Cyber Security [1][2].