PatchSiren cyber security CVE debrief
CVE-2026-8245 Concrete CMS CVE debrief
CVE-2026-8245 describes a reflected cross-site scripting issue in Concrete CMS Legacy Pagination affecting version 9.5.0 and below. The issue comes from raw interpolation of a URL value into an HTML href attribute, which can let a crafted link inject script into a user’s session. The source description says the impact is relevant to authenticated admin or report-viewer users who access the legacy reports page and click the malicious link. The CVE record assigns CVSS v4.0 6.0 (Medium).
- Vendor
- Concrete CMS
- Product
- Unknown
- CVSS
- MEDIUM 6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Concrete CMS administrators, security teams, and anyone responsible for dashboard/report access controls should care, especially environments where users can reach /dashboard/reports/forms/legacy. Authenticated admins and report viewers are the most relevant user group because the payload executes in their session after they click a crafted URL.
Technical summary
The vulnerable code path is described as Concrete\Core\Legacy\Pagination building pagination links by raw-interpolating its URL field into href="...". That is an HTML attribute injection flaw consistent with CWE-83 and reflected XSS. Because the payload is delivered through a crafted link and requires user interaction, the attack is reflected rather than stored, and the main risk is session-context execution in the browser of a privileged or trusted dashboard user.
Defensive priority
Medium. The issue has moderate severity, requires user interaction, and can execute in an authenticated user’s session, which raises the practical impact for admin-facing workflows. Prioritize it if Concrete CMS is exposed to non-fully-trusted internal users or if dashboard/report URLs are frequently shared.
Recommended defensive actions
- Review the Concrete CMS security update and the 9.5.1 release notes referenced in the source material for the vendor’s fix details.
- Restrict access to /dashboard/reports/forms/legacy to only the users who genuinely need it until patched.
- Verify that any pagination or link-rendering code path encodes URLs safely before placing them into HTML attributes.
- Treat unexpected or shortened dashboard links as suspicious and caution report viewers and admins not to click unverified URLs.
- If a user clicked a crafted legacy-pagination link, review related session and browser activity for signs of script execution or account misuse.
Evidence notes
The source corpus is anchored in the NVD record and a Concrete CMS release-notes reference. The NVD description explicitly states Concrete CMS 9.5.0 and below are vulnerable, identifies the issue as reflected XSS via HTML attribute injection in Legacy Pagination, and includes CWE-83 plus the CVSS v4.0 vector. The only product-specific reference link provided is the Concrete CMS 9.x version-history / 9.5.1 release notes page, so remediation details should be confirmed there. The vendor mapping in the input is low confidence, so the debrief uses the Concrete CMS name from the vulnerability description rather than asserting a stronger vendor/product identity than the corpus supports.
Official resources
-
CVE-2026-8245 CVE record
CVE.org
-
CVE-2026-8245 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ff5b8ace-8b95-4078-9743-eac1ca5451de
CVE-2026-8245 was published on 2026-05-21T22:16:50.243Z. No KEV entry was provided in the source corpus.