{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3242", "assignerOrgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "state": "PUBLISHED", "assignerShortName": "ConcreteCMS", "dateReserved": "2026-02-26T02:40:01.142Z", "datePublished": "2026-03-04T02:00:38.994Z", "dateUpdated": "2026-03-04T15:42:32.198Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/concretecms/concretecms", "defaultStatus": "unaffected", "platforms": ["git"], "product": "Concrete CMS", "repo": "https://github.com/concretecms/concretecms", "vendor": "Concrete CMS", "versions": [{"lessThan": "9.4.8", "status": "affected", "version": "5", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "M3dium"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block.&nbsp;&nbsp;The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector&nbsp;CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N.&nbsp; Thanks&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">M3dium&nbsp;</span>for reporting.<br>"}], "value": "In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block.\u00a0\u00a0The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector\u00a0CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N.\u00a0 Thanks\u00a0M3dium\u00a0for reporting."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 4.8, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "shortName": "ConcreteCMS", "dateUpdated": "2026-03-04T02:01:48.668Z"}, "references": [{"url": "https://github.com/concretecms/concretecms/pull/12826"}, {"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes"}], "source": {"advisory": "3451125", "defect": ["HackerOne"], "discovery": "EXTERNAL"}, "title": "Concrete CMS below 9.4.8 is vulnerable to Stored XSS in the Switch Language block", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-04T15:42:24.745405Z", "id": "CVE-2026-3242", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T15:42:32.198Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3242", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-04T15:42:24.745405Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T15:42:29.019Z"}}], "cna": {"title": "Concrete CMS below 9.4.8 is vulnerable to Stored XSS in the Switch Language block", "source": {"defect": ["HackerOne"], "advisory": "3451125", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "M3dium"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/concretecms/concretecms", "vendor": "Concrete CMS", "product": "Concrete CMS", "versions": [{"status": "affected", "version": "5", "lessThan": "9.4.8", "versionType": "git"}], "platforms": ["git"], "collectionURL": "https://github.com/concretecms/concretecms", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/concretecms/concretecms/pull/12826"}, {"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block.\u00a0\u00a0The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector\u00a0CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N.\u00a0 Thanks\u00a0M3dium\u00a0for reporting.", "supportingMedia": [{"type": "text/html", "value": "In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block.&nbsp;&nbsp;The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector&nbsp;CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N.&nbsp; Thanks&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">M3dium&nbsp;</span>for reporting.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "shortName": "ConcreteCMS", "dateUpdated": "2026-03-04T02:01:48.668Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3242", "state": "PUBLISHED", "dateUpdated": "2026-03-04T15:42:32.198Z", "dateReserved": "2026-02-26T02:40:01.142Z", "assignerOrgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "datePublished": "2026-03-04T02:00:38.994Z", "assignerShortName": "ConcreteCMS"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "BCBFD93E-6A10-4E9F-A31E-4A2C1FCD367C", "versionEndExcluding": "9.4.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block.\u00a0\u00a0The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector\u00a0CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N.\u00a0 Thanks\u00a0M3dium\u00a0for reporting."}], "id": "CVE-2026-3242", "lastModified": "2026-03-04T21:31:29.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "type": "Secondary"}]}, "published": "2026-03-04T03:16:05.270", "references": [{"source": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "tags": ["Release Notes", "Patch", "Vendor Advisory"], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes"}, {"source": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/concretecms/concretecms/pull/12826"}], "sourceIdentifier": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["git"], "status": "affected", "versions": {"scheme": "generic", "value": "[5,9.4.8)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "Concrete CMS", "source": "cna", "vendor": "Concrete CMS"}, "product": "concrete_cms", "vendor": "concretecms"}], "analysis": {"en": {"generated_at": "2026-04-17T13:16:35.276879+00:00", "value": {"mitigation_remediation": ["Upgrade Concrete CMS to version 9.4.8 or later", "Disable or remove the Switch Language block where possible, limiting its use to essential pages", "Restrict administrator privileges to only those who need to edit language settings, applying the principle of least privilege"], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Affects Concrete CMS installations running any version older than 9.4.8. Users should verify that their CMS instance is below this release before applying remediation.", "description_and_impact": "Concrete CMS versions prior to 9.4.8 allow a rogue administrator to inject arbitrary HTML and JavaScript through the Switch Language block, resulting in stored cross\u2011site scripting. The attacker can embed malicious scripts that persist in the site content and execute in the browsers of any authenticated user who views the affected pages, potentially compromising account sessions, defacing content, or exfiltrating sensitive information.", "risk_and_exploitability": "The vulnerability receives a CVSS v4.0 score of 4.8, indicating moderate severity, and an EPSS score of less than 1%, signaling a low probability of exploitation in the wild. The defect is not included in the CISA KEV catalog. Exploitation requires elevated privileged access, as the attacker must be a malicious administrator controlling the Switch Language block."}}}}, "created": "2026-03-04T14:53:20.577894+00:00", "updated": "2026-04-17T13:30:19.590311+00:00", "vendors": ["concretecms", "concretecms$PRODUCT$concrete_cms"]}