CVE-2026-3244

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.4.8

Description A stored cross-site scripting (XSS) issue exists in the search block of the software. Page names and content are rendered without proper HTML encoding in search results, allowing authenticated administrators to inject malicious JavaScript through page names. This JavaScript executes when users search for and view those pages in search results.

Recommendations Update to version 9.4.8 or later.