CVE-2026-3244
Received Received - Intake
Stored XSS in Concrete CMS Search Block Allows Script Injection

Publication date: 2026-03-04

Last updated on: 2026-03-04

Assigner: ConcreteCMS

Description
In Concrete CMS below version 9.4.8, A stored cross-site scripting (XSS) vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page names that executes when users search for and view those pages in search results.Β The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks zolpakΒ for reporting
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-04
Last Modified
2026-03-04
Generated
2026-06-16
AI Q&A
2026-03-04
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3244
EUVD
EUVD-2026-9355
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
concretecms concrete_cms to 9.4.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3244 is a stored cross-site scripting (XSS) vulnerability in Concrete CMS versions below 9.4.8. It exists in the search block where page names and content are displayed without proper HTML encoding in search results.

This flaw allows authenticated rogue administrators to inject malicious JavaScript code through page names. When users search for and view those pages in the search results, the injected scripts execute, potentially compromising user interactions.

Impact Analysis

The vulnerability can lead to the execution of malicious JavaScript in the context of users viewing search results. This can result in unauthorized actions, data theft, session hijacking, or other malicious activities performed by the injected scripts.

Since the attack requires an authenticated administrator to inject the malicious code, the risk is limited to environments where such privileged users are compromised or act maliciously.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves stored cross-site scripting (XSS) in the search block of Concrete CMS versions below 9.4.8, where page names and content are rendered without proper HTML encoding in search results.

Detection would involve checking if your Concrete CMS installation is below version 9.4.8 and if authenticated administrators have injected malicious JavaScript through page names that execute when users perform searches.

Since the vulnerability is related to the rendering of page names in search results, you can attempt to detect it by searching for suspicious or unexpected JavaScript code in page names or search results.

No specific commands or automated detection tools are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade Concrete CMS to version 9.4.8 or later, where this vulnerability has been fixed by properly encoding page names in the search block to prevent XSS attacks.

Until the upgrade is applied, restrict administrative access to trusted users only, as the vulnerability requires authenticated administrator privileges to exploit.

Review and sanitize page names to ensure they do not contain malicious JavaScript code.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3244. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart