CVE-2026-3241

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.4.8

Description A stored cross-site scripting (XSS) issue exists in the "Legacy Form" block. An authenticated user with appropriate permissions can inject a JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). This payload is then executed in the browser of any user who views the page containing the form. The affected block allows for the injection of persistent JavaScript code.

Recommendations Update Concrete CMS to version 9.4.8 or later.