Security Advisory

CVE-2026-8203

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-05-21 20:31:56

Last updated 2026-05-22 13:21:51

Assigner ConcreteCMS

State PUBLISHED

Description

Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that executes in the context of any visitors browser, potentially leading to session hijacking, credential theft, or other malicious actions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Alfin Joseph for reporting.

← Browse all CVEs View on cve.org ↗