PT-2026-42581 · Unknown · Concrete Cms
Tenzai
+1
·
Published
2026-05-21
·
Updated
2026-05-26
·
CVE-2026-8139
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Concrete CMS versions prior to 9.5.1
Description
Stored Cross-Site Scripting (XSS) occurs via the 'external-link' page
cvName because the updateCollectionAliasExternal() function bypasses sanitization. Stored XSS is a flaw where malicious scripts are permanently stored on the target server, which then serves them to other users.Recommendations
Update to a version newer than 9.5.0.
As a temporary workaround, restrict access to the
updateCollectionAliasExternal() function to minimize the risk of exploitation.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Concrete Cms