PatchSiren cyber security CVE debrief
CVE-2026-8197 Concrete CMS CVE debrief
CVE-2026-8197 is a stored cross-site scripting issue in Concrete CMS 9.5.0 and earlier. The problem is in the OAuth authorize template, where an admin-controlled integration name is passed through Concrete's translation helper in a way that preserves embedded HTML. In practical terms, a malicious or rogue administrator could inject content that is rendered in the login flow and potentially observe or interfere with login submissions.
- Vendor
- Concrete CMS
- Product
- Unknown
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Concrete CMS administrators and security teams, especially those running OAuth integrations and those who allow multiple administrators or delegated content managers. If your Concrete CMS deployment uses the affected OAuth authorize flow, this issue should be reviewed promptly.
Technical summary
According to the supplied description and NVD data, the weakness is CWE-79 (stored XSS). The OAuth authorize template wraps the integration name in <strong> tags before calling the t() translation helper, and the resulting sprintf-style interpolation allows the integration name to reach the rendered output as raw HTML. The attack requires high privileges (PR:H) and user interaction (UI:P), and the reported impact is high across confidentiality, integrity, and availability in the CVSS v4.0 vector provided by NVD.
Defensive priority
High for affected Concrete CMS deployments that use OAuth integrations. The privilege and interaction requirements reduce broad exposure, but the issue still matters because it affects an authentication-related page and can enable credential/session-adjacent abuse by a rogue administrator.
Recommended defensive actions
- Review the Concrete CMS 9.5.1 release notes linked in the source material for vendor remediation guidance.
- Audit any OAuth integration names and related admin-managed fields for unsafe HTML rendering paths.
- Verify that template output is escaped before translation or interpolation when handling admin-controlled values.
- Limit and monitor administrator access, since exploitation requires high privileges.
- Test affected instances for unexpected HTML rendering in the OAuth authorize flow after applying vendor guidance.
Evidence notes
The source corpus identifies CVE-2026-8197 as a stored XSS issue affecting Concrete CMS 9.5.0 and below. NVD lists CWE-79 and the CVSS v4.0 vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The supplied description explains that the OAuth authorize template renders an admin-controlled integration name through the translation helper in a way that allows raw HTML in the output. The only official product reference supplied is the Concrete CMS release-notes link.
Official resources
-
CVE-2026-8197 CVE record
CVE.org
-
CVE-2026-8197 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ff5b8ace-8b95-4078-9743-eac1ca5451de
Published 2026-05-21. The supplied record does not indicate KEV inclusion or public exploitation status.