CVE-2026-8353
Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in atomik theme
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
| CWE | CWE-79 |
| Vendor | concrete cms |
| Product | concrete cms |
| Published | May 22, 2026 |
| Last Updated | May 22, 2026 |
Stay Ahead of the Next One
Get instant alerts for concrete cms concrete cms
Be the first to know when new unknown vulnerabilities affecting concrete cms concrete cms are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Concrete CMS / Concrete CMS
9.0 ≤ 9.5.0
References
Credits
Yonatan Drori (Tenzai)