Luca Fuda

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9.0.0 through 9.2.6 **Description** The issue is related to insufficient validation of administrator-provided data for the `Name` field of a Group type, allowing a rogue administrator to inject malicious code, which might be executed when users visit the affected page. **Recommendations** For Concrete CMS versions 9.0.0 through 9.2.6, update to version 9.2.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the Group type `Name` field to minimize the risk of exploitation.