concrete5/concrete5 Security Advisories for 9.4.0RC1 (10)
-
[MEDIUM] ConcreteCMS is vulnerable to Denial of Service During Bulk Downloads
PKSA-xvm3-fqgr-dzxw CVE-2026-30662 GHSA-p68c-rmfh-j48h
Affected version: <=9.4.7
Reported by:
GitHub -
[MEDIUM] Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability
PKSA-nnjv-c4gq-wny8 CVE-2026-3242 GHSA-w9qg-chfh-g3q9
Affected version: <9.4.8
Reported by:
GitHub -
[HIGH] Concrete CMS vulnerable to Remote Code Execution by stored PHP object injection
PKSA-79x2-hpny-rxg9 CVE-2026-3452 GHSA-gj26-w59c-29mf
Affected version: <9.4.8
Reported by:
GitHub -
[MEDIUM] Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability
PKSA-r7c6-pnck-sspr CVE-2026-3244 GHSA-mm5f-5rqw-574f
Affected version: <9.4.8
Reported by:
GitHub -
[MEDIUM] Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability
PKSA-k8s6-ntjk-g2wy CVE-2026-3241 GHSA-f4vq-pj32-gr4q
Affected version: <9.4.8
Reported by:
GitHub -
[MEDIUM] Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability
PKSA-gwgb-qhcr-dkk9 CVE-2026-3240 GHSA-45fj-fvmm-xcc5
Affected version: <9.4.8
Reported by:
GitHub -
[LOW] Concrete CMS vulnerable to Cross-Site Request Forgery (CSRF)
PKSA-46yc-bd63-xkv6 CVE-2026-2994 GHSA-6mxw-2vhf-42g5
Affected version: <9.4.8
Reported by:
GitHub -
[LOW] Concrete CMS is vulnerable to Stored XSS from Home Folder on Members Dashboard page
PKSA-7cqd-c3g8-fsyk CVE-2025-8573 GHSA-c5xf-rmv4-j85h
Affected version: >=9.0.0RC1,<9.4.3
Reported by:
GitHub -
[MEDIUM] Concrete CMS vulnerable to Reflected Cross-Site Scripting (XSS) in Conversation Messages Dashboard Page
PKSA-t956-bfpp-mxgp CVE-2025-8571 GHSA-4pcg-pjp5-3mc6
Affected version: >=9.0.0RC1,<9.4.3|<8.5.21
Reported by:
GitHub -
[MEDIUM] Concrete CMS Vulnerable to Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS)
PKSA-jtjf-xd7f-qq44 CVE-2025-3153 GHSA-cmm4-p9v2-q453
Affected version: <8.5.20|>=9.0.0,<9.4.0RC2
Reported by:
GitHub