Security Update: Fixes for Concrete CMS v9

Security Update: Fixes for Concrete CMS v9

Mar 4, 2026
by lisan

Maintaining the security and integrity of your digital presence is an important priority. We have just released a series of security updates with Concrete CMS version 9.4.8 to address several vulnerabilities ranging from Cross-Site Scripting (XSS) to Remote Code Execution (RCE). 

Important Note: All fixes listed below are applicable only to Concrete CMS version 9. There will be no further security fixes backported to version 8. We strongly recommend all users still on version 8 to plan their migration to v9 to remain protected.

Security Fixes in this Release

1. Remote Code Execution (RCE) via Deserialization

  • CVE: CVE-2026-3452
  • Severity: 8.9 (High)
  • Details: Prior to this fix, an authenticated administrator could store attacker-controlled serialized data in block configuration fields. Because these were passed to unserialize() without class restrictions, it created a path for Remote Code Execution.
  • Fix: Updated columns and filterFields to start from empty
  • Credit: Thanks to YJK of ZUSO ART for the report.

2. Stored XSS in Search Block

  • CVE: CVE-2026-3244
  • Severity: 4.8 (Medium)
  • Details: Page names and content were rendered in search results without proper HTML encoding, allowing administrators to inject malicious JavaScript.
  • Fix: Implementation of proper encoding in search results
  • Credit: Thanks to zolpak for the report.

3. Stored XSS in Legacy Form & Switch Language Blocks

  • CVEs: CVE-2026-3242, CVE-2026-3241, CVE-2026-3240
  • Severity: 4.8 (Medium)
  • Details: Multiple vulnerabilities were identified where administrators or editors could inject XSS through the Switch Language block, multiple-choice options (Radio/Select/Checkbox), and the Question field in the Legacy Form block.
  • Fixes: Unified sanitization and encoding improvements across these blocks
  • Credit: Thanks to M3dium and the team at VCSLab-Viettel Cyber Security (minhnn42, namdi, and quanlna2).

4. CSRF in Anti-Spam Configuration

  • CVE: CVE-2026-2994
  • Severity: 2.3 (Low)
  • Details: A missing CSRF token check allowed for unauthorized changes to the group_id parameter within the Anti-Spam Allowlist Group Configuration.
  • Fix: Added mandatory CSRF token validation to the configuration save process.
  • Credit: Thanks to z3rco for the report.

We would like to extend a huge thank you to the independent security researchers who reported these issues via our HackerOne program. Your contributions help keep the entire Concrete CMS community safe.