CVE-2026-8203
Concrete CMS 9.5.0 and below has Stored XSS on the height parameter
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that executes in the context of any visitor's browser, potentially leading to session hijacking, credential theft, or other malicious actions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Alfin Joseph for reporting.
| CWE | CWE-79 |
| Vendor | concrete cms |
| Product | concrete cms |
| Published | May 21, 2026 |
| Last Updated | May 22, 2026 |
Stay Ahead of the Next One
Get instant alerts for concrete cms concrete cms
Be the first to know when new unknown vulnerabilities affecting concrete cms concrete cms are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Concrete CMS / Concrete CMS
5 ≤ 9.5.0
References
Credits
Alfin Joseph