Vulnerability-Lookup

GHSA-F73J-PM2C-RXVR

Vulnerability from github – Published: 2026-05-22 00:31 – Updated: 2026-05-26 18:31

Details

Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Pagination builds pagination links by raw-interpolating its $URL field into href="" (). Any authenticated admin or report viewer with access to /dashboard/reports/forms/legacy who clicks the crafted URL fires the payload in their session. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.0 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting

Severity

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

6.0 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-8245"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-83"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-21T22:16:50Z",
    "severity": "MODERATE"
  },
  "details": "Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection.\u00a0Concrete\\Core\\Legacy\\Pagination builds pagination links by raw-interpolating its $URL field into href=\"\" (\u003ca href=\"{$linkURL}\" \u2026\u003e).\u00a0Any authenticated admin or report viewer with access to `/dashboard/reports/forms/legacy` who clicks the crafted URL fires the payload in their session.\u00a0The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of\u00a06.0 with vector\u00a0CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks\u00a0Yonatan Drori (Tenzai) for reporting",
  "id": "GHSA-f73j-pm2c-rxvr",
  "modified": "2026-05-26T18:31:40Z",
  "published": "2026-05-22T00:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8245"
    },
    {
      "type": "WEB",
      "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

CVE-2026-8245 (GCVE-0-2026-8245)

Vulnerability from cvelistv5 – Published: 2026-05-21 21:14 – Updated: 2026-05-22 13:13

Title

Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection

Summary

Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Pagination builds pagination links by raw-interpolating its $URL field into href="" (<a href="{$linkURL}" …>). Any authenticated admin or report viewer with access to `/dashboard/reports/forms/legacy` who clicks the crafted URL fires the payload in their session. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.0 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting

Severity

6 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

CWE

CWE-83 - Improper neutralization of script in attributes in a web page

Assigner

ConcreteCMS

References

1 reference

URL	Tags
https://documentation.concretecms.org/9-x/develop…	release-notes

Impacted products

1 product

Vendor	Product	Version
Concrete CMS	Concrete CMS	Affected: 5.0 , ≤ 9.5.0 (git)

Credits

Yonatan Drori (Tenzai)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-8245",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T13:13:06.814159Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T13:13:14.402Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/concretecms/concretecms",
          "defaultStatus": "unaffected",
          "product": "Concrete CMS",
          "repo": "https://github.com/concretecms/concretecms",
          "vendor": "Concrete CMS",
          "versions": [
            {
              "lessThanOrEqual": "9.5.0",
              "status": "affected",
              "version": "5.0",
              "versionType": "git"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Yonatan Drori (Tenzai)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection.\u0026nbsp;\u003ccode\u003eConcrete\\Core\\Legacy\\Pagination\u003c/code\u003e builds pagination links by raw-interpolating its \u003ccode\u003e$URL\u003c/code\u003e field into \u003ccode\u003ehref=\"\"\u003c/code\u003e (\u003ccode\u003e\u0026lt;a href=\"{$linkURL}\" \u2026\u0026gt;\u003c/code\u003e).\u0026nbsp;Any authenticated admin or report viewer with access to `/dashboard/reports/forms/legacy` who clicks the crafted URL fires the payload in their session.\u0026nbsp;The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of\u0026nbsp;6.0 with vector\u0026nbsp;CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks\u0026nbsp;Yonatan Drori (Tenzai) for reporting\u0026nbsp;"
            }
          ],
          "value": "Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection.\u00a0Concrete\\Core\\Legacy\\Pagination builds pagination links by raw-interpolating its $URL field into href=\"\" (\u003ca href=\"{$linkURL}\" \u2026\u003e).\u00a0Any authenticated admin or report viewer with access to `/dashboard/reports/forms/legacy` who clicks the crafted URL fires the payload in their session.\u00a0The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of\u00a06.0 with vector\u00a0CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks\u00a0Yonatan Drori (Tenzai) for reporting"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-243",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-243 XSS Targeting HTML Attributes"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-83",
              "description": "CWE-83 Improper neutralization of script in attributes in a web page",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-21T21:14:18.940Z",
        "orgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de",
        "shortName": "ConcreteCMS"
      },
      "references": [
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
        }
      ],
      "source": {
        "advisory": "https://hackerone.com/reports/3715249",
        "defect": [
          "HackerOne"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de",
    "assignerShortName": "ConcreteCMS",
    "cveId": "CVE-2026-8245",
    "datePublished": "2026-05-21T21:14:18.940Z",
    "dateReserved": "2026-05-09T16:38:53.682Z",
    "dateUpdated": "2026-05-22T13:13:14.402Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-F73J-PM2C-RXVR

CVE-2026-8245 (GCVE-0-2026-8245)

Tags

Sightings

Nomenclature