PatchSiren cyber security CVE debrief
CVE-2026-8203 Concrete CMS CVE debrief
CVE-2026-8203 is a stored cross-site scripting (XSS) vulnerability affecting Concrete CMS 9.5.0 and below. The issue is described as improper validation or sanitization of the $height value in a controller, allowing malicious JavaScript to be stored and later executed in a visitor’s browser. The CVE record rates the issue HIGH with CVSS v4.0 7.3.
- Vendor
- Concrete CMS
- Product
- Unknown
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Administrators and security teams running Concrete CMS installations at version 9.5.0 or earlier should review this immediately, especially where editor-privileged accounts are broadly assigned or not tightly controlled. Content editors and site owners should also care because the attack path requires authenticated editor privileges, but the impact is on other users’ browsers.
Technical summary
The vulnerability is a stored XSS condition (CWE-79). According to the CVE description and NVD metadata, the controller does not validate or sanitize $height, which can let an editor inject script content that is persisted and then rendered to other visitors. The reported CVSS v4.0 vector is CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, indicating network-based delivery, required editor privileges, and user interaction for successful exploitation.
Defensive priority
High. Stored XSS in a CMS can expose authenticated sessions and sensitive browser-side actions for site visitors. Because the vulnerable input is reachable by users with editor privileges, access control review and code remediation should be prioritized alongside version tracking for any affected deployments.
Recommended defensive actions
- Confirm whether your Concrete CMS deployment is version 9.5.0 or below.
- Review any editor-role access and reduce unnecessary editor privileges until remediation is applied.
- Apply the vendor fix or upgrade to a version that addresses the issue, using the official Concrete CMS release notes as the primary reference.
- Audit templates, controllers, and any custom integrations that handle the height parameter or related user-controlled fields.
- Add or strengthen server-side input validation and output encoding controls for all content that can be stored and later rendered in browsers.
- Check for signs of unexpected script content in CMS-managed content fields and related logs.
- Monitor the vendor advisory and release notes for remediation details and any follow-up guidance.
Evidence notes
This debrief is based only on the supplied CVE/NVD record and the official Concrete CMS release-notes reference URL included in the source corpus. The corpus identifies the issue as stored XSS affecting Concrete CMS 9.5.0 and below, with CWE-79 and the quoted CVSS v4.0 vector. The vendor attribution in the provided enrichment is low-confidence/needs review, so the product is referred to as Concrete CMS only where supported by the source text.
Official resources
-
CVE-2026-8203 CVE record
CVE.org
-
CVE-2026-8203 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ff5b8ace-8b95-4078-9743-eac1ca5451de
CVE published by NVD on 2026-05-21. No Known Exploited Vulnerabilities (KEV) entry was supplied for this issue.