CVE-2026-8197

Vulnerability

Concrete CMS versions 9.5.0 and below contain a stored cross-site scripting (XSS) vulnerability in the OAuth integration name field. The integration name, set by an administrator, is rendered in the OAuth authorize template through the t() translation helper using sprintf-style formatting. However, the ` tag wrapping the name is built via PHP string interpolation before t()` executes, causing the integration name to be output as raw HTML without sanitization. This allows an attacker with admin privileges to inject arbitrary JavaScript into the template.

Exploitation

To exploit this vulnerability, an attacker must have administrative access to the Concrete CMS site to set a malicious integration name. When a user authenticates via OAuth, the injected script executes in the context of the user's browser. The attack requires no complex network access beyond a standard web request, and the CVSS v4.0 score of 7.3 (vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) reflects the need for high privileges but low attack complexity.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially stealing session cookies, redirecting login submissions, or performing actions on behalf of the user. The vulnerability is particularly concerning because it can be used to intercept OAuth authorization flows, leading to credential theft or account takeover.

Mitigation

The Concrete CMS development team addressed this issue in version 9.5.1, as detailed in the release notes [1]. Users are strongly advised to upgrade to Concrete CMS 9.5.1 or later. There is no workaround available for earlier versions.