CVE-2026-3244 MEDIUM

CVE-2026-3244: Concrete CMS below version 9.4.8 is vulnerable to Stored XSS in Search Results via Page Names

Vendor Concrete Cms

Product Concrete CMS

Weakness CWE-79 · XSS

Published March 4, 2026

Last update March 4, 2026

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

In Concrete CMS below version 9.4.8, A stored cross-site scripting (XSS) vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page names that executes when users search for and view those pages in search results. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks zolpak for reporting

Key dates

02Disclosure timeline

March 4, 2026 CVE published

March 4, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-3244

Related vulnerabilities

CVE-2026-3244: Concrete CMS below version 9.4.8 is vulnerable to Stored XSS in Search Results via Page Names

01Description

02Disclosure timeline

03References

04Related CVE