CVE-2026-8203
Analyzed Analyzed - Analysis Complete
Stored XSS in Concrete CMS via Height Parameter

Publication date: 2026-05-21

Last updated on: 2026-05-26

Assigner: ConcreteCMS

Description
Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that executes in the context of any visitor's browser, potentially leading to session hijacking, credential theft, or other malicious actions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Alfin Joseph for reporting.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-26
Generated
2026-06-11
AI Q&A
2026-05-22
EPSS Evaluated
2026-06-10
NVD
CVE-2026-8203
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
concretecms concrete_cms to 9.5.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

If exploited, this vulnerability can lead to serious security issues including session hijacking and credential theft. Attackers can execute malicious JavaScript in the browsers of visitors, potentially gaining unauthorized access to user accounts or sensitive information.

This can compromise the integrity and confidentiality of user data and may result in unauthorized actions performed on behalf of legitimate users.

Executive Summary

This vulnerability exists in Concrete CMS version 9.5.0 and below, where the height parameter is vulnerable to Stored Cross-Site Scripting (XSS). The controller does not validate or sanitize the $height parameter, allowing any user with editor privileges to inject malicious JavaScript code.

When this malicious script executes in the context of a visitor's browser, it can perform harmful actions such as session hijacking, stealing credentials, or other malicious activities.

Compliance Impact

The vulnerability allows users with editor privileges to inject malicious JavaScript that can execute in visitors' browsers, potentially leading to session hijacking, credential theft, or other malicious actions.

Such security issues can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of user data and prevention of unauthorized access or data breaches.

However, the provided information does not explicitly state the direct effects on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8203. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart