Security Advisories - concrete5/concrete5

concrete5/concrete5 Security Advisories for 9.2.4 (29)

[MEDIUM] ConcreteCMS is vulnerable to Denial of Service During Bulk Downloads

PKSA-xvm3-fqgr-dzxw CVE-2026-30662 GHSA-p68c-rmfh-j48h

Affected version: <=9.4.7

Reported by:
GitHub
[MEDIUM] Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability

PKSA-nnjv-c4gq-wny8 CVE-2026-3242 GHSA-w9qg-chfh-g3q9

Affected version: <9.4.8

Reported by:
GitHub
[HIGH] Concrete CMS vulnerable to Remote Code Execution by stored PHP object injection

PKSA-79x2-hpny-rxg9 CVE-2026-3452 GHSA-gj26-w59c-29mf

Affected version: <9.4.8

Reported by:
GitHub
[MEDIUM] Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability

PKSA-r7c6-pnck-sspr CVE-2026-3244 GHSA-mm5f-5rqw-574f

Affected version: <9.4.8

Reported by:
GitHub
[MEDIUM] Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability

PKSA-k8s6-ntjk-g2wy CVE-2026-3241 GHSA-f4vq-pj32-gr4q

Affected version: <9.4.8

Reported by:
GitHub
[MEDIUM] Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability

PKSA-gwgb-qhcr-dkk9 CVE-2026-3240 GHSA-45fj-fvmm-xcc5

Affected version: <9.4.8

Reported by:
GitHub
[LOW] Concrete CMS vulnerable to Cross-Site Request Forgery (CSRF)

PKSA-46yc-bd63-xkv6 CVE-2026-2994 GHSA-6mxw-2vhf-42g5

Affected version: <9.4.8

Reported by:
GitHub
[LOW] Concrete CMS is vulnerable to Stored XSS from Home Folder on Members Dashboard page

PKSA-7cqd-c3g8-fsyk CVE-2025-8573 GHSA-c5xf-rmv4-j85h

Affected version: >=9.0.0RC1,<9.4.3

Reported by:
GitHub
[MEDIUM] Concrete CMS vulnerable to Reflected Cross-Site Scripting (XSS) in Conversation Messages Dashboard Page

PKSA-t956-bfpp-mxgp CVE-2025-8571 GHSA-4pcg-pjp5-3mc6

Affected version: >=9.0.0RC1,<9.4.3|<8.5.21

Reported by:
GitHub
[MEDIUM] Concrete CMS Vulnerable to Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS)

PKSA-jtjf-xd7f-qq44 CVE-2025-3153 GHSA-cmm4-p9v2-q453

Affected version: <8.5.20|>=9.0.0,<9.4.0RC2

Reported by:
GitHub
[MEDIUM] ConcreteCMS Cross-Site Scripting (XSS) via HTML Block Text Field

PKSA-wppm-g9w6-5t8w CVE-2025-2967 GHSA-xfqf-5rhg-5c73

Affected version: <=9.3.9

Reported by:
GitHub
[MEDIUM] Concrete CMS affected by a stored XSS in Folder Function.The "Add Folder" functionality

PKSA-7rbh-qkpf-p5vz CVE-2025-0660 GHSA-pvmx-mjmh-jfcx

Affected version: <9.4.0RC1

Reported by:
GitHub
[MEDIUM] Cross site scripting in Concrete CMS

PKSA-fckc-p3cm-dkks CVE-2024-8291 GHSA-q7qr-22qw-pqgx

Affected version: <8.5.19|>=9.0.0,<9.3.4

Reported by:
GitHub
[MEDIUM] Cross site scripting in Concrete CMS

PKSA-dd65-y4fx-94zs CVE-2024-7398 GHSA-x8h2-255q-jg4x

Affected version: <8.5.19|>=9.0.0,<9.3.4

Reported by:
GitHub
[MEDIUM] Concrete CMS stored XSS vulnerability in the "Top Navigator Bar" block

PKSA-69js-g4kz-mxqx CVE-2024-8660 GHSA-998c-q8hh-h8gv

Affected version: >=9.0.0,<9.3.3

Reported by:
GitHub
[MEDIUM] Concrete CMS Stored XSS in the "Next&Previous Nav" block

PKSA-nwnp-29jm-dnjm CVE-2024-8661 GHSA-xmxj-v2q8-8qx6

Affected version: >=9.0.0,<9.3.4|<8.5.19

Reported by:
GitHub
[LOW] Concrete CMS vulnerable to Stored Cross-site Scripting

PKSA-11gg-978n-ccy8 CVE-2024-7512 GHSA-c47w-9mcf-w972

Affected version: >=9.0.0RC1,<9.3.3

Reported by:
GitHub
[MEDIUM] Concrete CMS Stored Cross-site Scripting vulnerability

PKSA-t8dh-g3jy-xp44 CVE-2024-4350 GHSA-q5wx-m95r-4cgc

Affected version: >=9.0.0RC1,<9.3.3|<8.5.18

Reported by:
GitHub
[MEDIUM] Concrete CMS Stored XSS in getAttributeSetName

PKSA-wgx3-m6ch-tdkj CVE-2024-7394 GHSA-w6j6-w6jx-vf2r

Affected version: >=9.0.0,<9.3.3|<8.5.18

Reported by:
GitHub
[MEDIUM] Concrete CMS vulnerable to Stored Cross-site Scripting

PKSA-qdwk-mh2v-7h2p CVE-2024-4353 GHSA-3cpf-jmmc-8jm3

Affected version: >=9.0.0,<=9.3.2

Reported by:
GitHub
[LOW] Concrete CMS Stored XSS in the Search Field

PKSA-n81q-nvhs-j5xh CVE-2024-3181 GHSA-qgm9-rxmq-jxmq

Affected version: <8.5.16|>=9.0.0RC1,<9.2.8

Reported by:
GitHub
[LOW] Concrete CMS Stored XSS in blocks of type file

PKSA-jkfn-dm68-h74g CVE-2024-3180 GHSA-9qhc-pg6j-wf23

Affected version: <8.5.16|>=9.0.0RC1,<9.2.8

Reported by:
GitHub
[LOW] Concrete CMS Stored XSS in the Custom Class page editing

PKSA-9d3h-dqyn-p3hg CVE-2024-3179 GHSA-r7q4-cw9r-vhp4

Affected version: <8.5.16|>=9.0.0RC1,<9.2.8

Reported by:
GitHub
[LOW] Concrete CMS Cross-site Scripting (XSS) in the Advanced File Search Filter

PKSA-7yvb-1h2z-t44j CVE-2024-3178 GHSA-xwrh-qxmc-x8c8

Affected version: <8.5.16|>=9.0.0RC1,<9.2.8

Reported by:
GitHub
[LOW] Concrete CMS Stored XSS on the calendar color settings screen

PKSA-637y-63mx-s8kt CVE-2024-2753 GHSA-pj42-r64f-4xfq

Affected version: <8.5.16|>=9.0.0RC1,<9.2.8

Reported by:
GitHub
[LOW] Concrete CMS Stored Cross-site Scripting vulnerability

PKSA-xz8s-kt9m-78kn CVE-2024-2179 GHSA-4m7h-34xm-4wjv

Affected version: <9.2.7

Reported by:
GitHub
[LOW] Concrete CMS vulnerable to stored XSS in file tags and description attributes

PKSA-k3fw-5172-87s2 CVE-2024-1245 GHSA-mgp6-j658-vcw9

Affected version: >=9.0.0RC1,<9.2.5

Reported by:
GitHub
[LOW] Concrete CMS vulnerable to reflected XSS via the Image URL Import Feature

PKSA-mg7v-tf5z-216y CVE-2024-1246 GHSA-9v3w-cj7m-qh5g

Affected version: >=9.0.0RC1,<9.2.5

Reported by:
GitHub
[LOW] Concrete CMS vulnerable to stored XSS via the Role Name field

PKSA-q44b-j422-8pc9 CVE-2024-1247 GHSA-q25h-jch8-gfrp

Affected version: >=9.0.0RC1,<9.2.5

Reported by:
GitHub

concrete5/concrete5 Security Advisories for 9.2.4 (29)

[MEDIUM] ConcreteCMS is vulnerable to Denial of Service During Bulk Downloads

[MEDIUM] Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability

[HIGH] Concrete CMS vulnerable to Remote Code Execution by stored PHP object injection

[MEDIUM] Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability

[MEDIUM] Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability

[MEDIUM] Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability

[LOW] Concrete CMS vulnerable to Cross-Site Request Forgery (CSRF)

[LOW] Concrete CMS is vulnerable to Stored XSS from Home Folder on Members Dashboard page

[MEDIUM] Concrete CMS vulnerable to Reflected Cross-Site Scripting (XSS) in Conversation Messages Dashboard Page

[MEDIUM] Concrete CMS Vulnerable to Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS)

[MEDIUM] ConcreteCMS Cross-Site Scripting (XSS) via HTML Block Text Field

[MEDIUM] Concrete CMS affected by a stored XSS in Folder Function.The "Add Folder" functionality

[MEDIUM] Cross site scripting in Concrete CMS

[MEDIUM] Cross site scripting in Concrete CMS

[MEDIUM] Concrete CMS stored XSS vulnerability in the "Top Navigator Bar" block

[MEDIUM] Concrete CMS Stored XSS in the "Next&Previous Nav" block

[LOW] Concrete CMS vulnerable to Stored Cross-site Scripting

[MEDIUM] Concrete CMS Stored Cross-site Scripting vulnerability

[MEDIUM] Concrete CMS Stored XSS in getAttributeSetName

[MEDIUM] Concrete CMS vulnerable to Stored Cross-site Scripting

[LOW] Concrete CMS Stored XSS in the Search Field

[LOW] Concrete CMS Stored XSS in blocks of type file

[LOW] Concrete CMS Stored XSS in the Custom Class page editing

[LOW] Concrete CMS Cross-site Scripting (XSS) in the Advanced File Search Filter

[LOW] Concrete CMS Stored XSS on the calendar color settings screen

[LOW] Concrete CMS Stored Cross-site Scripting vulnerability

[LOW] Concrete CMS vulnerable to stored XSS in file tags and description attributes

[LOW] Concrete CMS vulnerable to reflected XSS via the Image URL Import Feature

[LOW] Concrete CMS vulnerable to stored XSS via the Role Name field