CVE-2026-8353 LOW

CVE-2026-8353: Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in atomik theme

Vendor Concrete Cms
Product Concrete CMS
Weakness CWE-79 · XSS
Published May 22, 2026
Last update May 22, 2026

CVSS base score

2.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

Key dates

02Disclosure timeline

May 22, 2026 CVE published
May 22, 2026 Record updated