CVE-2026-8245
Reflected XSS in Concrete CMS via Legacy Pagination
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: ConcreteCMS
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| concrete_cms | concrete_cms | to 9.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-83 | The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Concrete CMS version 9.5.0 and below. It is a Reflected Cross-Site Scripting (XSS) issue occurring in the Legacy Pagination feature through HTML attribute injection. Specifically, the system builds pagination links by directly inserting a URL field into the href attribute of anchor tags without proper sanitization. As a result, an authenticated admin or report viewer who accesses the affected dashboard page and clicks on a specially crafted URL can trigger the malicious payload within their session.
How can this vulnerability impact me? :
The vulnerability can lead to the execution of malicious scripts in the context of an authenticated user's session. This can result in unauthorized actions being performed on behalf of the user, session hijacking, or theft of sensitive information accessible to the user. Since the attack requires an authenticated admin or report viewer to click a crafted link, it can compromise administrative functions or sensitive report data within the Concrete CMS environment.