CVE-2026-3241 in Concrete
Summary
by MITRE • 03/04/2026
In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). This payload is then executed in the browser of any user who views the page containing the form. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/06/2026
The vulnerability identified as CVE-2026-3241 represents a critical stored cross-site scripting flaw within Concrete CMS versions prior to 9.4.8, specifically affecting the "Legacy Form" block functionality. This issue stems from inadequate input validation and output sanitization mechanisms within the form handling component, creating a persistent security weakness that allows malicious actors to inject malicious JavaScript code into form configuration options. The vulnerability specifically targets multiple-choice question types including Checkbox Lists, Radio Buttons, and Select Box elements, making it particularly dangerous as these are commonly used interactive components in web forms.
The technical exploitation of this vulnerability requires an authenticated attacker with sufficient permissions to create or edit forms within the CMS environment, typically representing a compromised administrator account or insider threat. When a malicious payload is injected into the form options, it becomes permanently stored within the CMS database and subsequently executed whenever any user views the page containing the vulnerable form. This persistent nature of the attack means that the malicious code will execute in the browser context of every user who accesses the affected page, regardless of whether they have administrative privileges or not.
From a security impact perspective, this vulnerability creates a significant risk for organizations relying on Concrete CMS for their website content management. The CVSS v4.0 score of 4.8 indicates a medium severity threat with a vector of AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N, which demonstrates that the attack requires network access with high privileges but low complexity and that user interaction is required for the exploit to be effective. The vulnerability affects the integrity of the application's form handling capabilities while potentially allowing attackers to perform actions such as stealing user sessions, redirecting users to malicious sites, or harvesting sensitive information from authenticated sessions.
The operational impact extends beyond simple data theft, as this vulnerability can facilitate more sophisticated attacks within the organization's network infrastructure. Attackers could leverage this vulnerability to establish persistent access points through session hijacking or to perform reconnaissance activities against other systems within the organization's network perimeter. The attack pattern aligns with ATT&CK technique T1566.001 (Phishing: Spearphishing Attachment) and T1059.007 (Command and Scripting Interpreter: JavaScript) as attackers could use the stored XSS to deliver malicious JavaScript payloads that could further compromise user systems. Organizations should consider this vulnerability in the context of CWE-79 (Cross-site Scripting) and CWE-352 (Cross-Site Request Forgery) as it represents a direct exploitation of web application input validation weaknesses.
The recommended mitigation strategies include immediate deployment of Concrete CMS version 9.4.8 or later, which contains the necessary patches to address the stored XSS vulnerability. Additionally, organizations should implement strict access controls and privilege management to limit the number of users who can create or modify forms within the CMS environment. Network monitoring should be enhanced to detect potential malicious form submissions, and regular security audits should be conducted to identify any unauthorized modifications to form configurations. Security awareness training for administrators should emphasize the importance of monitoring form creation activities and maintaining proper access controls to prevent unauthorized users from exploiting this vulnerability.