Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Concrete CMS — Vulnerabilities & Security Advisories 26

All 26 CVE vulnerabilities found in Concrete CMS, with AI-generated Chinese analysis, references, and POCs.

Vendor: Concrete CMS

CVE IDTitleCVSSSeverityPublished
CVE-2026-2994 Concrete CMS below 9.4.8 is vulnerable to CSRF by a Rogue Admin using the Anti-Spam Allowlist Group CWE-352 6.8 -2026-03-04
CVE-2026-3240 Concrete CMS below 9.4.8 is vulnerable to Stored XSS via Legacy form CWE-79 5.4 -2026-03-04
CVE-2026-3241 Concrete CMS below version 9.4.8 is vulnerable to a stored cross-site scripting (XSS) in the "Legacy Form" block. CWE-79 4.8 -2026-03-04
CVE-2026-3242 Concrete CMS below 9.4.8 is vulnerable to Stored XSS in the Switch Language block CWE-79 4.8 -2026-03-04
CVE-2026-3244 Concrete CMS below version 9.4.8 is vulnerable to Stored XSS in Search Results via Page Names CWE-79 4.8 -2026-03-04
CVE-2026-3452 Concrete CMS below 9.4.8 is vulnerable to stored deserialization leading to RCE in the Express Entry List block. CWE-502 7.2 -2026-03-04
CVE-2025-8571 Concrete CMS 9 through 9.4.2 and below 8.5.21 is vulnerable to Reflected Cross-Site Scripting (XSS) in Conversation Messages Dashboard Page CWE-20 6.1AIMediumAI2025-08-05
CVE-2025-8573 Concrete CMS 9 through 9.4.2 is vulnerable to Stored XSS from Home Folder on Members Dashboard page CWE-20 4.8AIMediumAI2025-08-05
CVE-2025-3153 Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 - CSRF and XSS in Concrete CMS Custom Address attribute CWE-79 5.4AIMediumAI2025-04-03
CVE-2025-0660 Stored XSS in Folder Function by Rogue Admin CWE-20 4.8 -2025-03-10
CVE-2024-7398 Concrete CMS Stored XSS Vulnerability in Calendar Event Addition Feature CWE-79 4.8AIMediumAI2024-09-24
CVE-2024-8291 Concrete CMS Stored XSS in Image Editor Background Color CWE-22 4.8AIMediumAI2024-09-24
CVE-2024-8660 Stored XSS in the "Top Navigator Bar" block CWE-79 4.8 -2024-09-17
CVE-2024-8661 Concrete CMS version 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in the "Next&Previous Nav" block CWE-79 4.8 -2024-09-16
CVE-2024-4350 Concrete CMS version 9 below 9.3.3 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer CWE-79 4.8AIMediumAI2024-08-09
CVE-2024-7512 Concrete CMS Stored XSS in Board instances CWE-20 4.8AIMediumAI2024-08-09
CVE-2024-7394 Concrete CMS version 9.0.0 through 9.3.2 and below 8.5.18 - Stored XSS in getAttributeSetName() CWE-79 4.8AIMediumAI2024-08-08
CVE-2024-4353 Stored XSS in Generate Board Name Input Field CWE-20 4.8AIMediumAI2024-08-01
CVE-2024-3181 Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored XSS in the Search Field. CWE-79 3.1 Low2024-04-03
CVE-2024-3180 Concrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 is vulnerable to Stored XSS in blocks of type file CWE-79 3.1 Low2024-04-03
CVE-2024-3179 Concrete CMS version 9 before 9.2.8 and previous versions before 8.5.16 are vulnerable to Stored XSS in the Custom Class page CWE-79 3.1 Low2024-04-03
CVE-2024-3178 Concrete CMS versions 9 below 9.2.8 and versions below 8.5.16 are vulnerable to Cross-site Scripting (XSS) in the Advanced File Search Filter CWE-79 3.1 Low2024-04-03
CVE-2024-2753 Concrete CMS version 9 below 9.2.8 and below 8.5.16 is vulnerable to stored XSS on the calendar color settings screen CWE-79 2.0 Low2024-04-03
CVE-2024-2179 Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type CWE-79 2.2 Low2024-03-05
CVE-2024-1247 Concrete CMS version 9 before 9.2.5 vulnerable to stored XSS via the Role Name field CWE-20 2.0 Low2024-02-09
CVE-2011-3183 Concrete CMS 跨站脚本漏洞 6.1 -2020-01-14

All 26 known CVE vulnerabilities affecting Concrete CMS with full Chinese analysis, references, and POCs where available.