CVE-2026-3241: Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability

March 4, 2026

In Concrete CMS below version 9.4.8, a Cross-site Scripting (XSS) vulnerability exists in the “Legacy Form” block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). This payload is then executed in the browser of any user who views the page containing the form.

The Concrete CMS security team thanks M3dium for reporting.

References

documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes
github.com/advisories/GHSA-f4vq-pj32-gr4q
github.com/concretecms/concretecms
github.com/concretecms/concretecms/pull/12826
nvd.nist.gov/vuln/detail/CVE-2026-3241

Code Behaviors & Features

Detect and mitigate CVE-2026-3241 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →