CVE-2026-8353

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in atomik theme

CVSS 2.1 LOWEPSS 0.1%CWE-79

Vexday Risk Score

8Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 2.1EPSS 0.1%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

22 May 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products

Concrete CMS · Concrete CMS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes