CVE-2026-8245 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2026-8245

CVE-2026-8245

Published:May 21, 2026

Updated:June 11, 2026

Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Pagination builds pagination links by raw-interpolating its $URL field into href="" (<a href="{$linkURL}" …>). Any authenticated admin or report viewer with access to "/dashboard/reports/forms/legacy" who clicks the crafted URL fires the payload in their session. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.0 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting

Affected Packages

concrete5/concrete5 (PHP):

Affected version(s) >=dev-allow-install-php-8.2 <9.5.1

Fix Suggestion:

Update to version 9.5.1

Related Resources (1)

https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes

Do you need more information?

CVSS v4

Base Score:

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

PRESENT

Privileges Required

NONE

User Interaction

PASSIVE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

LOW

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

NONE

Weakness Type (CWE)

Improper Neutralization of Script in Attributes in a Web Page

CWE-83

EPSS

Base Score:

0.02