CVE-2026-8197

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1

Description Stored Cross-Site Scripting (XSS) occurs via the OAuth integration name. The OAuth authorize template renders the admin-controlled integration name using the t() translation helper as a sprintf-style format. Because the HTML wrap is constructed via PHP string interpolation before the t() function executes, the integration name is output as raw HTML. This could allow a malicious administrator to intercept login submissions.

Recommendations Update to a version newer than 9.5.0.