Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Concrete CMS — Vulnerabilities & Security Advisories 27

Browse all 27 CVE security advisories affecting Concrete CMS. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Concrete CMS is an open-source content management system designed for building and managing websites, primarily targeting small to medium-sized enterprises and organizations requiring flexible content structures. Historically, its codebase has exhibited vulnerabilities typical of PHP-based applications, including remote code execution, cross-site scripting, and privilege escalation flaws. These issues often stem from insufficient input validation and improper access controls within legacy modules. Security audits have identified multiple critical entries, with twenty-seven CVEs currently on record, reflecting persistent challenges in maintaining secure coding practices across its extensive feature set. Notable incidents involve exploited authentication bypasses and file inclusion errors that allowed unauthorized access to sensitive data. While recent updates have addressed many of these weaknesses, the high volume of historical vulnerabilities underscores the necessity for rigorous code review and continuous security monitoring to mitigate risks associated with its widespread deployment in diverse web environments.

Top products by Concrete CMS: Concrete CMS Concrete CMS
CVE IDTitleCVSSSeverityPublished
CVE-2026-2994 Concrete CMS below 9.4.8 is vulnerable to CSRF by a Rogue Admin using the Anti-Spam Allowlist Group — Concrete CMSCWE-352 6.8 -2026-03-04
CVE-2026-3240 Concrete CMS below 9.4.8 is vulnerable to Stored XSS via Legacy form — Concrete CMSCWE-79 5.4 -2026-03-04
CVE-2026-3241 Concrete CMS below version 9.4.8 is vulnerable to a stored cross-site scripting (XSS) in the "Legacy Form" block. — Concrete CMSCWE-79 4.8 -2026-03-04
CVE-2026-3242 Concrete CMS below 9.4.8 is vulnerable to Stored XSS in the Switch Language block — Concrete CMSCWE-79 4.8 -2026-03-04
CVE-2026-3244 Concrete CMS below version 9.4.8 is vulnerable to Stored XSS in Search Results via Page Names — Concrete CMSCWE-79 4.8 -2026-03-04
CVE-2026-3452 Concrete CMS below 9.4.8 is vulnerable to stored deserialization leading to RCE in the Express Entry List block. — Concrete CMSCWE-502 7.2 -2026-03-04
CVE-2025-8571 Concrete CMS 9 through 9.4.2 and below 8.5.21 is vulnerable to Reflected Cross-Site Scripting (XSS) in Conversation Messages Dashboard Page — Concrete CMSCWE-20 6.1AIMediumAI2025-08-05
CVE-2025-8573 Concrete CMS 9 through 9.4.2 is vulnerable to Stored XSS from Home Folder on Members Dashboard page — Concrete CMSCWE-20 4.8AIMediumAI2025-08-05
CVE-2025-3153 Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 - CSRF and XSS in Concrete CMS Custom Address attribute — Concrete CMSCWE-79 5.4AIMediumAI2025-04-03
CVE-2025-0660 Stored XSS in Folder Function by Rogue Admin — Concrete CMSCWE-20 4.8 -2025-03-10
CVE-2024-7398 Concrete CMS Stored XSS Vulnerability in Calendar Event Addition Feature — Concrete CMSCWE-79 4.8AIMediumAI2024-09-24
CVE-2024-8291 Concrete CMS Stored XSS in Image Editor Background Color — Concrete CMSCWE-22 4.8AIMediumAI2024-09-24
CVE-2024-8660 Stored XSS in the "Top Navigator Bar" block — Concrete CMSCWE-79 4.8 -2024-09-17
CVE-2024-8661 Concrete CMS version 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in the "Next&Previous Nav" block — Concrete CMSCWE-79 4.8 -2024-09-16
CVE-2024-4350 Concrete CMS version 9 below 9.3.3 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer — Concrete CMSCWE-79 4.8AIMediumAI2024-08-09
CVE-2024-7512 Concrete CMS Stored XSS in Board instances — Concrete CMSCWE-20 4.8AIMediumAI2024-08-09
CVE-2024-7394 Concrete CMS version 9.0.0 through 9.3.2 and below 8.5.18 - Stored XSS in getAttributeSetName() — Concrete CMSCWE-79 4.8AIMediumAI2024-08-08
CVE-2024-4353 Stored XSS in Generate Board Name Input Field — Concrete CMSCWE-20 4.8AIMediumAI2024-08-01
CVE-2024-3181 Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored XSS in the Search Field. — Concrete CMSCWE-79 3.1 Low2024-04-03
CVE-2024-3180 Concrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 is vulnerable to Stored XSS in blocks of type file — Concrete CMSCWE-79 3.1 Low2024-04-03
CVE-2024-3179 Concrete CMS version 9 before 9.2.8 and previous versions before 8.5.16 are vulnerable to Stored XSS in the Custom Class page — Concrete CMSCWE-79 3.1 Low2024-04-03
CVE-2024-3178 Concrete CMS versions 9 below 9.2.8 and versions below 8.5.16 are vulnerable to Cross-site Scripting (XSS) in the Advanced File Search Filter — Concrete CMSCWE-79 3.1 Low2024-04-03
CVE-2024-2753 Concrete CMS version 9 below 9.2.8 and below 8.5.16 is vulnerable to stored XSS on the calendar color settings screen — Concrete CMSCWE-79 2.0 Low2024-04-03
CVE-2024-2179 Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type — Concrete CMSCWE-79 2.2 Low2024-03-05
CVE-2024-1245 Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes — Concrete CMS CWE-20 2.4 Low2024-02-09
CVE-2024-1247 Concrete CMS version 9 before 9.2.5 vulnerable to stored XSS via the Role Name field — Concrete CMSCWE-20 2.0 Low2024-02-09
CVE-2011-3183 Concrete CMS 跨站脚本漏洞 — Concrete CMS 6.1 -2020-01-14

This page lists every published CVE security advisory associated with Concrete CMS. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.