CVE-2026-8203

Name of the Vulnerable Software and Affected Versions Concrete CMS versions 9.5.0 and earlier

Description A stored cross-site scripting (XSS) issue exists because the controller fails to validate or sanitize the height parameter. This allows users with editor privileges to inject malicious JavaScript that executes in the browser of any visitor, which could lead to credential theft or session hijacking.

Recommendations Update to a version later than 9.5.0. As a temporary workaround, restrict editor privileges to trusted users to minimize the risk of malicious script injection via the height parameter.