CVE-2026-8197
published 2026-05-21CVE-2026-8197: Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name. The OAuth authorize template renders the integration name…
PriorityP422medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.18%
7.9th percentile
Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name. The OAuth authorize template renders the integration name (admin-controlled) through Concrete's t() translation helper as a sprintf-style format. The ... wrap is built by PHP string interpolation before t() runs, so the integration name lands in the translated output as raw HTML. A rogue admin could potentially snoop on login submissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Thanks Yonatan Drori (Tenzai) for reporting.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| concrete5 | concrete5 | >= 0 < 9.5.1 | 9.5.1 |
| concrete_cms | concrete_cms | 5.0 – 9.5.0 | — |
| concretecms | concrete_cms | <= 9.5.0 | — |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvdv4.07.3HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h72c-xx3w-w8h7: Concrete CMS 9
ghsa_unreviewed·2026-05-21
CVE-2026-8197 [HIGH] CWE-79 GHSA-h72c-xx3w-w8h7: Concrete CMS 9
Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name. The OAuth authorize template renders the integration name (admin-controlled) through Concrete's t() translation helper as a sprintf-style format. The ... wrap is built by PHP string interpolation before t() runs, so the integration name lands in the translated output as raw HTML. A rogue admin could potentially snoop on login submissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Thanks Yonatan Drori (Tenzai) for reporting.
GHSA
Concrete CMS is vulnerable to Stored XSS via OAuth integration name
ghsa·2026-05-21
CVE-2026-8197 [HIGH] CWE-79 Concrete CMS is vulnerable to Stored XSS via OAuth integration name
Concrete CMS is vulnerable to Stored XSS via OAuth integration name
Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name. The OAuth authorize template renders the integration name (admin-controlled) through Concrete's t() translation helper as a sprintf-style format. The ... wrap is built by PHP string interpolation before t() runs, so the integration name lands in the translated output as raw HTML. A rogue admin could potentially snoop on login submissions.The Concrete CMS security team thanks Yonatan Drori (Tenzai) for reporting this issue.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-21
Published