CVE-2026-3244: Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability

March 4, 2026

In Concrete CMS below version 9.4.8, A stored Cross-site Scripting (XSS) vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page names that executes when users search for and view those pages in search results.

The Concrete CMS security team thanks zolpak for reporting.

References

documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes
github.com/advisories/GHSA-mm5f-5rqw-574f
github.com/concretecms/concretecms
github.com/concretecms/concretecms/pull/12826
nvd.nist.gov/vuln/detail/CVE-2026-3244

Code Behaviors & Features

Detect and mitigate CVE-2026-3244 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →