216.73.217.98

CVE-2026-8197

· Published 21/05/2026 21:16 · Modified 21/05/2026 21:16

Labels: CVE-2026-8197 2026-05-21CVE-2026-8197CWE-79ff5b8ace-8b95-4078-9743-eac1ca5451de

Essential information

Published
21/05/2026 21:16
Modified
21/05/2026 21:16
Author
Creator
CVSS
7.3 HIGH (v3) 7.3 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name. The OAuth authorize template renders the integration name (admin-controlled) through Concrete's t() translation helper as a sprintf-style format. The <strong>...</strong> wrap is built by PHP string interpolation before t() runs, so the integration name lands in the translated output as raw HTML. A rogue admin could potentially snoop on login submissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N  Thanks Yonatan Drori (Tenzai) for reporting.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
ff5b8ace-8b95-4078-9743-eac1ca5451de
NVD
View on NVD

Affected products (CPE)

ProductCPE
concrete / cms cpe:2.3:a:concrete:cms:<9.5.0:*:*:*:*:*:*:*

References