{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-3241","assignerOrgId":"ff5b8ace-8b95-4078-9743-eac1ca5451de","state":"PUBLISHED","assignerShortName":"ConcreteCMS","dateReserved":"2026-02-26T02:21:35.988Z","datePublished":"2026-03-04T02:12:51.092Z","dateUpdated":"2026-03-04T15:42:07.836Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://github.com/concretecms/concretecms","defaultStatus":"unaffected","platforms":["git"],"product":"Concrete CMS","repo":"https://github.com/concretecms/concretecms","vendor":"Concrete CMS","versions":[{"lessThan":"9.4.8","status":"affected","version":"5","versionType":"git"}]}],"credits":[{"lang":"en","type":"reporter","value":"M3dium"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"In Concrete CMS below version 9.4.8, a<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;stored cross-site scripting (XSS) vulnerability exists in the \"Legacy Form\" block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). This payload is then executed in the browser of any user who views the page containing the form.&nbsp;The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector&nbsp;CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">M3dium</span> for reporting.&nbsp;</span><br>"}],"value":"In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the \"Legacy Form\" block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). This payload is then executed in the browser of any user who views the page containing the form. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting."}],"impacts":[{"capecId":"CAPEC-592","descriptions":[{"lang":"en","value":"CAPEC-592 Stored XSS"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":4.8,"baseSeverity":"MEDIUM","exploitMaturity":"NOT_DEFINED","privilegesRequired":"HIGH","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"PASSIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"ff5b8ace-8b95-4078-9743-eac1ca5451de","shortName":"ConcreteCMS","dateUpdated":"2026-03-04T02:12:51.092Z"},"references":[{"url":"https://github.com/concretecms/concretecms/pull/12826"},{"url":"https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes"}],"source":{"advisory":"3456482","defect":["HackerOne"],"discovery":"EXTERNAL"},"title":"Concrete CMS below version 9.4.8 is vulnerable to a stored cross-site scripting (XSS) in the \"Legacy Form\" block.","x_generator":{"engine":"Vulnogram 0.5.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-03-04T15:41:54.660496Z","id":"CVE-2026-3241","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-04T15:42:07.836Z"}}]}}