Concrete CMS below version 9.4.8 is vulnerable to a stored cross-site scripting (XSS) in the "Legacy Form" block.

Vulnerability

Description

CVE-2026-3241 is a stored cross-site scripting (XSS) vulnerability in the Legacy Form block of Concrete CMS versions prior to 9.4.8 [1]. The flaw exists in the options of multiple-choice question types—Checkbox List, Radio Buttons, and Select Box—where user-supplied input is not properly sanitized before being stored. An authenticated user with permissions to create or edit forms can inject a persistent JavaScript payload into these fields [1][2].

Exploitation

Exploitation requires an account with administrative privileges or equivalent permissions to manage forms [2]. The attacker crafts a malicious JavaScript payload and inserts it into the form’s multiple-choice options. When any user, including non-administrators, visits a page that displays the compromised form, the payload executes in their browser [1]. The attack vector is network-based with low complexity, but requires high privileges and user interaction to trigger [1].

Impact

Successful exploitation leads to arbitrary JavaScript execution in the context of the victim’s session. This can result in data theft, session hijacking, or defacement. The CVSS v4.0 score is 4.8 (medium severity) with a vector string indicating no confidentiality impact but a low integrity impact [1]. The vulnerability does not affect the availability of the system [1].

Mitigation

The issue is fixed in Concrete CMS version 9.4.8 [2]. The fix was implemented in commit 12826, which sanitizes the options input of the Legacy Form block [3]. Users should upgrade to 9.4.8 or later immediately. No workarounds are documented; upgrading is the recommended course of action.