CVE-2026-3240 - Vulnerability Details - OpenCVE

In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Thanks minhnn42, namdi and quanlna2 from VCSLab-Viettel Cyber Security for reporting.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes
https://github.com/concretecms/concretecms/pull/12826

History

Wed, 04 Mar 2026 03:00:00 +0000

Type	Values Removed	Values Added
Description		In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Thanks minhnn42, namdi and quanlna2 from VCSLab-Viettel Cyber Security for reporting.
Title		Concrete CMS below 9.4.8 is vulnerable to Stored XSS via Legacy form
Weaknesses		CWE-79
References		https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes https://github.com/concretecms/concretecms/pull/12826
Metrics		cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published: 2026-03-04T02:15:53.400Z

Updated: 2026-03-04T02:15:53.400Z

Reserved: 2026-02-26T01:42:11.496Z

Link: CVE-2026-3240

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-04T03:16:04.940

Modified: 2026-03-04T03:16:04.940

Link: CVE-2026-3240

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3240", "assignerOrgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "state": "PUBLISHED", "assignerShortName": "ConcreteCMS", "dateReserved": "2026-02-26T01:42:11.496Z", "datePublished": "2026-03-04T02:15:53.400Z", "dateUpdated": "2026-03-04T02:15:53.400Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/concretecms/concretecms", "defaultStatus": "unaffected", "product": "Concrete CMS", "repo": "https://github.com/concretecms/concretecms", "vendor": "Concrete CMS", "versions": [{"lessThan": "9.4.8", "status": "affected", "version": "5", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "finder", "value": "minhnn42, namdi and quanlna2 from VCSLab-Viettel Cyber Security"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">In Concrete CMS below version 9.4.8, a </span><span style=\"background-color: rgb(255, 255, 255);\">user with permission to edit a page with element</span> Legacy form <span style=\"background-color: rgb(255, 255, 255);\">can perform a stored XSS attack towards high-privilege accounts via the </span>Question<span style=\"background-color: rgb(255, 255, 255);\"> field. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Thanks minhnn42, namdi and quanlna2 from VCSLab-Viettel Cyber Security for reporting.</span><br><br>"}], "value": "In Concrete CMS below version 9.4.8, a\u00a0user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the\u00a0Question field.\u00a0The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector\u00a0CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Thanks\u00a0minhnn42, namdi and quanlna2 from VCSLab-Viettel Cyber Security for reporting."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 4.8, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "shortName": "ConcreteCMS", "dateUpdated": "2026-03-04T02:15:53.400Z"}, "references": [{"url": "https://github.com/concretecms/concretecms/pull/12826"}, {"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes"}], "source": {"advisory": "3451114", "defect": ["HackerOne"], "discovery": "EXTERNAL"}, "title": "Concrete CMS below 9.4.8 is vulnerable to Stored XSS via Legacy form", "x_generator": {"engine": "Vulnogram 0.5.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In Concrete CMS below version 9.4.8, a\u00a0user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the\u00a0Question field.\u00a0The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector\u00a0CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Thanks\u00a0minhnn42, namdi and quanlna2 from VCSLab-Viettel Cyber Security for reporting."}], "id": "CVE-2026-3240", "lastModified": "2026-03-04T03:16:04.940", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "type": "Secondary"}]}, "published": "2026-03-04T03:16:04.940", "references": [{"source": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes"}, {"source": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "url": "https://github.com/concretecms/concretecms/pull/12826"}], "sourceIdentifier": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "type": "Secondary"}]}