Concrete CMS below version 9.4.8 is vulnerable to Stored XSS in Search Results via Page Names

Vulnerability

CVE-2026-3244 is a stored cross-site scripting (XSS) vulnerability in Concrete CMS versions below 9.4.8. The vulnerability exists in the search block, where page names and content are rendered without proper HTML encoding in search results [1][2]. This allows an authenticated administrator with rogue privileges to inject malicious JavaScript through page names that later executes when other users search for and view those pages in search results [2].

Exploitation

To exploit this vulnerability, an attacker must have administrative access to Concrete CMS and the ability to create or modify page names. The attack is network-based (AV:N), requires low attack complexity (AC:L), and no advanced attack prerequisites (AT:N). User interaction is required (UI:P): a victim must perform a search and view the results containing the crafted page name [1]. The vulnerability is stored in the database and triggers in the victim's browser when the search results are rendered.

Impact

A successful exploit allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. The CVSS v4.0 score is 4.8 (medium), with the vector indicating no impact to confidentiality or availability, but a low impact to integrity (VI:L) [1][2]. The scope is unchanged (SC:N, SI:N, SA:N), meaning the injected script executes within the application's security context.

Mitigation

The vulnerability is fixed in Concrete CMS version 9.4.8, released with commit 12826 [2]. Users are strongly encouraged to upgrade to the latest version to prevent exploitation. No workarounds are documented for this specific issue.