Vulnerability Details CVE-2026-8353
Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 6.9%
CVSS Severity
CVSS v3 Score 4.8
References
Products affected by CVE-2026-8353
-
cpe:2.3:a:concretecms:concrete_cms:9.0
-
cpe:2.3:a:concretecms:concrete_cms:9.0.0
-
cpe:2.3:a:concretecms:concrete_cms:9.0.1
-
cpe:2.3:a:concretecms:concrete_cms:9.0.2
-
cpe:2.3:a:concretecms:concrete_cms:9.1.0
-
cpe:2.3:a:concretecms:concrete_cms:9.1.1
-
cpe:2.3:a:concretecms:concrete_cms:9.1.2
-
cpe:2.3:a:concretecms:concrete_cms:9.1.3
-
cpe:2.3:a:concretecms:concrete_cms:9.2.0
-
cpe:2.3:a:concretecms:concrete_cms:9.2.1
-
cpe:2.3:a:concretecms:concrete_cms:9.2.2
-
cpe:2.3:a:concretecms:concrete_cms:9.2.3
-
cpe:2.3:a:concretecms:concrete_cms:9.2.4
-
cpe:2.3:a:concretecms:concrete_cms:9.2.5
-
cpe:2.3:a:concretecms:concrete_cms:9.2.6
-
cpe:2.3:a:concretecms:concrete_cms:9.2.7
-
cpe:2.3:a:concretecms:concrete_cms:9.2.8
-
cpe:2.3:a:concretecms:concrete_cms:9.2.9
-
cpe:2.3:a:concretecms:concrete_cms:9.3.0
-
cpe:2.3:a:concretecms:concrete_cms:9.3.1
-
cpe:2.3:a:concretecms:concrete_cms:9.3.2
-
cpe:2.3:a:concretecms:concrete_cms:9.3.3
-
cpe:2.3:a:concretecms:concrete_cms:9.3.4
-
cpe:2.3:a:concretecms:concrete_cms:9.3.5
-
cpe:2.3:a:concretecms:concrete_cms:9.3.6
-
cpe:2.3:a:concretecms:concrete_cms:9.3.7
-
cpe:2.3:a:concretecms:concrete_cms:9.3.8
-
cpe:2.3:a:concretecms:concrete_cms:9.3.9
-
cpe:2.3:a:concretecms:concrete_cms:9.4.0
-
cpe:2.3:a:concretecms:concrete_cms:9.4.1
-
cpe:2.3:a:concretecms:concrete_cms:9.4.2
-
cpe:2.3:a:concretecms:concrete_cms:9.4.3
-
cpe:2.3:a:concretecms:concrete_cms:9.4.4
-
cpe:2.3:a:concretecms:concrete_cms:9.4.5
-
cpe:2.3:a:concretecms:concrete_cms:9.4.6
-
cpe:2.3:a:concretecms:concrete_cms:9.4.7
-
cpe:2.3:a:concretecms:concrete_cms:9.4.8
-
cpe:2.3:a:concretecms:concrete_cms:9.5.0