CVE-2026-8245 | THREATINT

Description

Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Pagination builds pagination links by raw-interpolating its $URL field into href="" (<a href="{$linkURL}" …>). Any authenticated admin or report viewer with access to `/dashboard/reports/forms/legacy` who clicks the crafted URL fires the payload in their session. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.0 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting

PUBLISHED Reserved 2026-05-09 | Published 2026-05-21 | Updated 2026-05-22 | Assigner ConcreteCMS

MEDIUM: 6.0CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-83 Improper neutralization of script in attributes in a web page

Product status

Default status

unaffected

5.0 (git)

affected

Credits

Yonatan Drori (Tenzai) finder

References

documentation.concretecms.org/...n-history/951-release-notes release-notes

cve.org (CVE-2026-8245)

nvd.nist.gov (CVE-2026-8245)

Download JSON