{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T14:53:10.763","vulnerabilities":[{"cve":{"id":"CVE-2026-3244","sourceIdentifier":"ff5b8ace-8b95-4078-9743-eac1ca5451de","published":"2026-03-04T02:15:54.663","lastModified":"2026-03-04T21:37:24.850","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In Concrete CMS below version 9.4.8, A stored cross-site scripting (XSS) vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page names that executes when users search for and view those pages in search results. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N.  Thanks zolpak for reporting"},{"lang":"es","value":"En Concrete CMS anterior a la versión 9.4.8, existe una vulnerabilidad de cross-site scripting (XSS) almacenado en el bloque de búsqueda donde los nombres de página y el contenido se renderizan sin la codificación HTML adecuada en los resultados de búsqueda. Esto permite a administradores autenticados y maliciosos inyectar JavaScript malicioso a través de nombres de página que se ejecuta cuando los usuarios buscan y ven esas páginas en los resultados de búsqueda. El equipo de seguridad de Concrete CMS otorgó a esta vulnerabilidad una puntuación CVSS v.4.0 de 4.8 con el vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Gracias a zolpak por reportar."}],"metrics":{"cvssMetricV40":[{"source":"ff5b8ace-8b95-4078-9743-eac1ca5451de","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.7,"impactScore":2.7}]},"weaknesses":[{"source":"ff5b8ace-8b95-4078-9743-eac1ca5451de","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*","versionEndExcluding":"9.4.8","matchCriteriaId":"BCBFD93E-6A10-4E9F-A31E-4A2C1FCD367C"}]}]}],"references":[{"url":"https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes","source":"ff5b8ace-8b95-4078-9743-eac1ca5451de","tags":["Release Notes","Patch","Vendor Advisory"]},{"url":"https://github.com/concretecms/concretecms/pull/12826","source":"ff5b8ace-8b95-4078-9743-eac1ca5451de","tags":["Exploit","Issue Tracking","Vendor Advisory"]}]}}]}