We’re pleased to release Concrete CMS 9.4.8, a maintenance update focused primarily on security and stability. This release addresses several reported vulnerabilities and includes a performance improvement for sites with large numbers of permission assignments.
Concrete CMS 9.4.8 Released Security and Stability Improvements
Mar 4, 2026
by
We strongly recommend that all sites running Concrete CMS version 9 update to 9.4.8 to ensure they remain secure.
This release resolves a number of security issues including a Remote Code Execution (RCE) vulnerability (CVE-2026-3452) as well as several Cross-Site Scripting (XSS) vulnerabilities affecting the Search block, Switch Language block, and Legacy Form block. Additionally, a CSRF validation issue in the Anti-Spam Allowlist configuration has been addressed.
As a reminder, security fixes are provided only for Concrete CMS version 9, and no further security patches will be released for version 8.