CVE-2026-3240

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.4.8

Description A user with edit permissions on a page containing a Legacy form can execute a stored Cross-Site Scripting (XSS) attack targeting high-privilege accounts through the Question field. This allows an attacker to inject malicious scripts that execute within the context of another user's browser.

Recommendations Update to version 9.4.8 or later.