QwikSec

Security Database

CVE

CWE

Training

CVE-2026-3242

Published: Mar 4, 2026

Modified: Mar 4, 2026

PUBLISHED

Description

In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting.

Vendor	Product	Versions
Concrete CMS	Concrete CMS	affected `5 - < 9.4.8`

Weaknesses (CWE)

References

https://github.com/concretecms/concretecms/pull/12826

https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.