MEDIUM

GHSA-f73j-pm2c-rxvr

Concrete CMS is Vulnerable to Reflected XSS in Legacy Pagination

Details

Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Pagination builds pagination links by raw-interpolating its $URL field into href="" (<a href="{$linkURL}" …>). Any authenticated admin or report viewer with access to `/dashboard/reports/forms/legacy` who clicks the crafted URL fires the payload in their session.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / concrete5/concrete5

Introduced in: 0 Fixed in: 9.5.1

Fix composer require concrete5/concrete5:^9.5.1

References

https://nvd.nist.gov/vuln/detail/CVE-2026-8245 [ADVISORY]
https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes [WEB]
https://github.com/concretecms/concretecms [PACKAGE]