Home

Description

Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name. The OAuth authorize template renders the integration name (admin-controlled) through Concrete's t() translation helper as a sprintf-style format. The <strong>...</strong> wrap is built by PHP string interpolation before t() runs, so the integration name lands in the translated output as raw HTML. A rogue admin could potentially snoop on login submissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Thanks Yonatan Drori (Tenzai) for reporting.

PUBLISHED Reserved 2026-05-08 | Published 2026-05-21 | Updated 2026-05-22 | Assigner ConcreteCMS




HIGH: 7.3CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')

Product status

Default status
unaffected

5.0 (git)
affected

Credits

Yonatan Drori (Tenzai) finder

References

documentation.concretecms.org/...n-history/951-release-notes release-notes

cve.org (CVE-2026-8197)

nvd.nist.gov (CVE-2026-8197)

Download JSON