CVE-2026-8203 HIGH

CVE-2026-8203: Concrete CMS 9.5.0 and below has Stored XSS on the height parameter

Vendor Concrete Cms
Product Concrete CMS
Weakness CWE-79 · XSS
Published May 21, 2026
Last update May 22, 2026
View on NVD All CVEs

CVSS base score

7.3/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that executes in the context of any visitor's browser, potentially leading to session hijacking, credential theft, or other malicious actions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Alfin Joseph for reporting.

Key dates

02Disclosure timeline

May 21, 2026 CVE published
May 22, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-39575 WordPress Custom Query Blocks plugin <= 5.5.0 - Cross Site Scripting (XSS) vulnerability CVE-2025-5490 Football Pool <= 2.12.4 - Authenticated (Administrator+) Stored Cross-Site Scripting CVE-2022-0683 Essential Addons for Elementor Lite <= 5.0.8 Reflected Cross-Site Scripting CVE-2025-8362 GoogleTag Manager - Moderately critical - Cross-site scripting - SA-CONTRIB-2025-094 CVE-2024-34789 WordPress Post Grid Elementor Addon plugin <= 2.0.16 - Cross Site Scripting (XSS) vulnerability