CVE-2026-3241 in Concrete情報

要約

〜によって MITRE • 2026年03月04日

In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). This payload is then executed in the browser of any user who views the page containing the form. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting.

Be aware that VulDB is the high quality source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

責任者

ConcreteCMS

予約する

2026年02月26日

公開

2026年03月04日

モデレーション

承諾済み

エントリ

VDB-348665

CPE

準備完了

CWE

CWE-79 (確認済み)

CVSS

4.8 (NVD)

EPSS

0.00010

KEV

いいえ

アクティビティ

非常低い

セクター

Hostingprovider, Lawfirm, ...

ソース

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-3241
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-3241
CVE Details	https://www.cvedetails.com/cve/CVE-2026-3241/

◂ 前概要次 ▸

Might our Artificial Intelligence support you?

Check our Alexa App!