CVE-2026-3244
Stored XSS in Concrete CMS Search Block Allows Script Injection
Publication date: 2026-03-04
Last updated on: 2026-03-04
Assigner: ConcreteCMS
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| concretecms | concrete_cms | to 9.4.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3244 is a stored cross-site scripting (XSS) vulnerability in Concrete CMS versions below 9.4.8. It exists in the search block where page names and content are displayed without proper HTML encoding in search results.
This flaw allows authenticated rogue administrators to inject malicious JavaScript code through page names. When users search for and view those pages in the search results, the injected scripts execute, potentially compromising user interactions.
How can this vulnerability impact me? :
The vulnerability can lead to the execution of malicious JavaScript in the context of users viewing search results. This can result in unauthorized actions, data theft, session hijacking, or other malicious activities performed by the injected scripts.
Since the attack requires an authenticated administrator to inject the malicious code, the risk is limited to environments where such privileged users are compromised or act maliciously.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves stored cross-site scripting (XSS) in the search block of Concrete CMS versions below 9.4.8, where page names and content are rendered without proper HTML encoding in search results.
Detection would involve checking if your Concrete CMS installation is below version 9.4.8 and if authenticated administrators have injected malicious JavaScript through page names that execute when users perform searches.
Since the vulnerability is related to the rendering of page names in search results, you can attempt to detect it by searching for suspicious or unexpected JavaScript code in page names or search results.
No specific commands or automated detection tools are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Concrete CMS to version 9.4.8 or later, where this vulnerability has been fixed by properly encoding page names in the search block to prevent XSS attacks.
Until the upgrade is applied, restrict administrative access to trusted users only, as the vulnerability requires authenticated administrator privileges to exploit.
Review and sanitize page names to ensure they do not contain malicious JavaScript code.