CVE-2026-8353
published 2026-05-22CVE-2026-8353: Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes…
PriorityP422medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.15%
4.5th percentile
Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| concrete5 | concrete5 | >= 9.0.0RC.1 < 9.5.1 | 9.5.1 |
| concrete_cms | concrete_cms | 9.0 – 9.5.0 | — |
| concretecms | concrete_cms | >= 9.0 < 9.5.1 | 9.5.1 |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cvelistv5v4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Concrete CMS is vulnerable to Stored XSS via page name in the Atomik theme
ghsa·2026-05-26
CVE-2026-8353 [LOW] CWE-79 Concrete CMS is vulnerable to Stored XSS via page name in the Atomik theme
Concrete CMS is vulnerable to Stored XSS via page name in the Atomik theme
Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. Thanks Yonatan Drori (Tenzai) for reporting.
GHSA
GHSA-q9fm-mpg8-8jqm: Concrete CMS version 9
ghsa_unreviewed·2026-05-26
CVE-2026-8353 [LOW] CWE-79 GHSA-q9fm-mpg8-8jqm: Concrete CMS version 9
Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
CVEList
Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in atomik theme
cvelistv5·2026-05-22·CVSS 2.1
CVE-2026-8353 [LOW] CWE-79 Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in atomik theme
Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in atomik theme
Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
VulDB
Concrete CMS up to 9.5.0 cross site scripting
vuldb·2026-05-22
CVE-2026-8353 [LOW] Concrete CMS up to 9.5.0 cross site scripting
A vulnerability, which was classified as problematic, was found in Concrete CMS up to 9.5.0. The affected element is an unknown function. Executing a manipulation can lead to cross site scripting.
This vulnerability is handled as CVE-2026-8353. The attack can be executed remotely. There is not any exploit available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-22
Published