CVE-2026-8197
Stored XSS in Concrete CMS via OAuth Integration Name
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: ConcreteCMS
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| concrete5 | concrete_cms | to 9.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Concrete CMS version 9.5.0 and below. It is a Stored Cross-Site Scripting (XSS) issue that occurs via the OAuth integration name. Specifically, the OAuth authorize template renders the integration name, which is controlled by an admin, using Concrete's translation helper t() as a sprintf-style format. However, the integration name is inserted into the translated output as raw HTML because the <strong>...</strong> wrap is built by PHP string interpolation before the translation function runs. This allows a rogue admin to inject malicious scripts that could potentially snoop on login submissions.
How can this vulnerability impact me? :
The vulnerability can allow a rogue administrator to execute stored cross-site scripting attacks by injecting malicious code into the OAuth integration name. This could lead to unauthorized access to sensitive information, such as snooping on login submissions, potentially compromising user credentials or session data.