Moderate severityNVD Advisory· Published Mar 4, 2026· Updated Mar 4, 2026

Concrete CMS below 9.4.8 is vulnerable to Stored XSS in the Switch Language block

CVE-2026-3242

Description

In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In Concrete CMS below 9.4.8, a rogue administrator can inject stored XSS via the Switch Language block, leading to low-integrity impact.

Vulnerability

Overview

CVE-2026-3242 is a stored cross-site scripting (XSS) vulnerability in Concrete CMS versions prior to 9.4.8. The flaw resides in the Switch Language block, where a malicious administrator can inject arbitrary JavaScript that is stored and later executed insecurely rendered. This issue was reported by researcher M3dium and fixed in commit 12826 [1][2].

Exploitation

Prerequisites

An attacker must have administrative privileges within the Concrete CMS instance to exploit this vulnerability. The attack vector is authenticated, the attacker can craft a payload within the Switch Language block's configuration. The attack is network-based (AV:N) with low complexity (AC:L) and requires user interaction (UI:P) from a victim to trigger the stored payload [1].

Impact

Successful exploitation allows the attacker to execute malicious scripts in the context of another user's session when they interact with the affected block. The CVSS v4.0 score is 4.8, reflecting a low impact on integrity (VI:L) and no impact on confidentiality or availability. The vulnerability does not affect the availability of the system [1].

Mitigation

Concrete CMS version 9.4.8 includes the fix for this vulnerability. Users are strongly advised to upgrade to this version or later. No workarounds have been publicly documented [2].

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
concrete5/concrete5Packagist	< 9.4.8	9.4.8

Affected products

Concrete5/Concretellm-fuzzy
Range: <9.4.8
Concrete CMS/Concrete CMSv5
Range: 5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-w9qg-chfh-g3q9ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-3242ghsaADVISORY
documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notesghsaWEB
github.com/concretecms/concretecms/pull/12826ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000