LOW

GHSA-q9fm-mpg8-8jqm

Concrete CMS is vulnerable to Stored XSS via page name in the Atomik theme

Details

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. Thanks Yonatan Drori (Tenzai) for reporting.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / concrete5/concrete5

Introduced in: 9.0.0RC.1 Fixed in: 9.5.1

Fix composer require concrete5/concrete5:^9.5.1

References

https://nvd.nist.gov/vuln/detail/CVE-2026-8353 [ADVISORY]
https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes [WEB]
https://github.com/concretecms/concretecms [PACKAGE]