{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-8353", "assignerOrgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "state": "PUBLISHED", "assignerShortName": "ConcreteCMS", "dateReserved": "2026-05-11T17:02:39.581Z", "datePublished": "2026-05-22T14:18:06.991Z", "dateUpdated": "2026-05-22T17:08:17.411Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "shortName": "ConcreteCMS", "dateUpdated": "2026-05-22T14:18:06.991Z"}, "title": "Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in atomik theme", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "affected": [{"vendor": "Concrete CMS", "product": "Concrete CMS", "collectionURL": "https://github.com/concretecms/concretecms", "repo": "https://github.com/concretecms/concretecms", "versions": [{"status": "affected", "version": "9.0", "lessThanOrEqual": "9.5.0", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor\u00a0can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation.\u00a0The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of\u00a02.1 with vector\u00a0CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks\u00a0Yonatan Drori (Tenzai) for reporting.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor&nbsp;<span>can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation.&nbsp;</span>The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of&nbsp;2.1 with vector&nbsp;CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks&nbsp;Yonatan Drori (Tenzai) for reporting.&nbsp;"}]}], "references": [{"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes", "tags": ["release-notes"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "LOW", "baseScore": 2.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Yonatan Drori (Tenzai)", "type": "finder"}], "source": {"defect": ["HackerOne"], "advisory": "https://hackerone.com/reports/3715247", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-22T17:05:42.901517Z", "id": "CVE-2026-8353", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-22T17:08:17.411Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-8353", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-22T17:05:42.901517Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-22T17:08:06.722Z"}}], "cna": {"title": "Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in atomik theme", "source": {"defect": ["HackerOne"], "advisory": "https://hackerone.com/reports/3715247", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Yonatan Drori (Tenzai)"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/concretecms/concretecms", "vendor": "Concrete CMS", "product": "Concrete CMS", "versions": [{"status": "affected", "version": "9.0", "versionType": "git", "lessThanOrEqual": "9.5.0"}], "collectionURL": "https://github.com/concretecms/concretecms", "defaultStatus": "unaffected"}], "references": [{"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes", "tags": ["release-notes"]}], "x_generator": {"engine": "Vulnogram 1.0.2"}, "descriptions": [{"lang": "en", "value": "Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor\u00a0can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation.\u00a0The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of\u00a02.1 with vector\u00a0CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks\u00a0Yonatan Drori (Tenzai) for reporting.", "supportingMedia": [{"type": "text/html", "value": "Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor&nbsp;<span>can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation.&nbsp;</span>The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of&nbsp;2.1 with vector&nbsp;CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks&nbsp;Yonatan Drori (Tenzai) for reporting.&nbsp;", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')"}]}], "providerMetadata": {"orgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "shortName": "ConcreteCMS", "dateUpdated": "2026-05-22T14:18:06.991Z"}}}, "cveMetadata": {"cveId": "CVE-2026-8353", "state": "PUBLISHED", "dateUpdated": "2026-05-22T17:08:17.411Z", "dateReserved": "2026-05-11T17:02:39.581Z", "assignerOrgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "datePublished": "2026-05-22T14:18:06.991Z", "assignerShortName": "ConcreteCMS"}, "dataVersion": "5.2"}

{"affected": [{"affectedData": [{"collectionURL": "https://github.com/concretecms/concretecms", "defaultStatus": "unaffected", "product": "Concrete CMS", "repo": "https://github.com/concretecms/concretecms", "vendor": "Concrete CMS", "versions": [{"lessThanOrEqual": "9.5.0", "status": "affected", "version": "9.0", "versionType": "git"}]}], "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "F8B152AE-0781-4256-B7C3-4F7B75A83722", "versionEndExcluding": "9.5.1", "versionStartIncluding": "9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor\u00a0can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation.\u00a0The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of\u00a02.1 with vector\u00a0CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks\u00a0Yonatan Drori (Tenzai) for reporting."}], "id": "CVE-2026-8353", "lastModified": "2026-06-17T11:03:50.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "type": "Secondary"}], "ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-8353", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "role": "CISA Coordinator", "timestamp": "2026-05-22T17:05:42.901517Z", "version": "2.0.3"}}]}, "published": "2026-05-22T15:16:26.793", "references": [{"source": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"}], "sourceIdentifier": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.0,9.5.0]"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "Concrete CMS", "source": "cna", "vendor": "Concrete CMS"}, "product": "concrete_cms", "vendor": "concretecms"}], "created": "2026-05-22T15:45:16.502350+00:00", "updated": "2026-05-22T16:00:13.603817+00:00", "vendors": ["concretecms", "concretecms$PRODUCT$concrete_cms"]}