CVEFinder.io

CVE-2026-8353

🔶 medium
🔍 Scan for this CVE
Summary

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N

Description

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

CVSS Score
4.8
Medium
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-22
First Seen: 2026-05-27
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 13.8% of all 328,009 vulnerabilities in our database.

#282,765
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 22, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Partial
Limited system impact
🏆 Discovered By
Yonatan Drori (Tenzai)
SSVC data provided by CISA
Last Modified 2026-05-22
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVSS Vector 4.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)
CWE-79

📦 Affected Products 1

Vendor Product Status Affected Versions
concretecms concrete_cms Affected
> 9.0 < 9.5.1

🔗 References 1

https://documentation.concretecms.org/9-x/developers...
Vendor Advisory Release Notes

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-8340 🔶 medium 4.3 0.0 Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with edit_file_contents p... 2026-05-22
CVE-2026-8347 🔶 medium 4.3 0.0 Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog... 2026-05-22
CVE-2026-6826 🔶 medium 5.3 0.0 Concrete CMS 9.5.0 and below  is vulnerable to unauthenticated file usage disclosure via missing permission check in t... 2026-05-21
CVE-2026-8134 ⚠️ high 7.2 0.5 Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTempl... 2026-05-21
CVE-2026-8135 ⚠️ high 7.2 0.2 Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the E... 2026-05-21
CVE-2026-8140 🔶 medium 6.5 0.0 Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/down... 2026-05-21
These CVEs affect the same products