Medium severity4.8NVD Advisory· Published May 22, 2026· Updated May 22, 2026
CVE-2026-8353
CVE-2026-8353
Description
Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
1- documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notesnvdVendor AdvisoryRelease Notes
News mentions
1- Concrete CMS: 25 CVEs Disclosed Together, 12 High-Severity CSRF Bugs Lead the BatchVypr Intelligence · May 22, 2026