CVE-2026-3240 in Concrete
Summary
by MITRE • 03/04/2026
In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Thanks minhnn42, namdi and quanlna2 from VCSLab-Viettel Cyber Security for reporting.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/06/2026
This vulnerability exists within Concrete CMS versions prior to 9.4.8 and represents a stored cross-site scripting flaw that specifically targets users with edit permissions on pages containing legacy form elements. The attack vector exploits the Question field within these legacy forms, allowing an authenticated attacker with sufficient privileges to inject malicious scripts that persist in the application's database. The vulnerability demonstrates a critical weakness in input sanitization and output encoding mechanisms within the CMS's form handling components, particularly affecting the legacy form element implementation that has not been adequately secured against persistent script injection attacks. The CVSS v4.0 score of 4.8 indicates a medium severity threat with network accessibility, low attack complexity, and the requirement for high privilege authentication, suggesting that the vulnerability requires a user with existing edit permissions to exploit effectively.
The technical exploitation occurs through the manipulation of the Question field within legacy form elements, where user input is not properly validated or sanitized before being stored in the database and subsequently rendered to other users. This creates a persistent XSS condition where malicious scripts can execute in the context of high-privilege accounts who view the affected pages. The vulnerability specifically affects the legacy form element functionality, which likely represents older code components that have not received the same security hardening as newer CMS features. This represents a classic stored XSS scenario where the malicious payload is stored server-side and executed when other users access the compromised content, making it particularly dangerous in environments where administrators or privileged users regularly view page content.
The operational impact of this vulnerability extends beyond simple script execution, as it can potentially enable attackers to escalate privileges, steal session cookies, or perform actions on behalf of high-privilege users. When combined with the requirement for high privilege authentication, this creates a scenario where a compromised user account with edit permissions can leverage this vulnerability to gain further access to sensitive administrative functions. The attack requires a user to have permission to edit pages containing legacy forms, which typically means the attacker would need to be a content editor or administrator with appropriate access rights. This vulnerability aligns with CWE-79 which categorizes cross-site scripting flaws, and could be mapped to ATT&CK technique T1566.001 for initial access through malicious web content, and potentially T1078 for legitimate credential use if session hijacking occurs.
Organizations running Concrete CMS versions below 9.4.8 should prioritize immediate patching to address this vulnerability, as the stored nature of the attack means that malicious payloads can persist for extended periods. The vulnerability affects legacy form elements specifically, making it important for administrators to identify and either update or disable these components until proper security measures are in place. Security teams should implement monitoring for suspicious content modifications in pages containing legacy forms, and consider temporary workarounds such as disabling the legacy form element or restricting edit permissions on pages containing potentially vulnerable components. The reporting from VCSLab-Viettel Cyber Security highlights the importance of community-driven vulnerability disclosure in identifying and addressing security gaps in content management systems, particularly those affecting legacy components that may not receive the same security attention as newer features.