Primary

Context

Concrete CMS Reflected Cross-Site Scripting Vulnerability in Legacy Pagination

Vulnerability

Patched

A reflected cross-site scripting vulnerability has been identified in Concrete CMS versions 9.5.0 and below, specifically within the Legacy Pagination component. This issue arises from improper handling of the $URL field, which is directly inserted into pagination links without proper sanitization. As a result, authenticated administrators or report viewers with access to the '/dashboard/reports/forms/legacy' page can be targeted. When they click on a crafted URL, the injected payload is executed in their session.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's session.

Added: May 21, 2026, 10:32 PM

Updated: May 21, 2026, 10:32 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

6.4

remediation

7.7

relevance

8.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

6.4

remediation

7.7

relevance

8.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Concrete CMS Reflected Cross-Site Scripting Vulnerability in Legacy Pagination

Vulnerability

Impact

Affected Products

Concrete CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating