CVE-2026-8245

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1

Description Reflected Cross-Site Scripting (XSS) occurs in Legacy Pagination through HTML attribute injection. The ConcreteCoreLegacyPagination class constructs pagination links by raw-interpolating the $URL variable into the href attribute of an anchor tag. An authenticated administrator or report viewer with access to the '/dashboard/reports/forms/legacy' endpoint can trigger the payload in their session by clicking a crafted URL.

Recommendations Update to a version newer than 9.5.0. Restrict access to the '/dashboard/reports/forms/legacy' endpoint to minimize the risk of exploitation.