GHSA-f73j-pm2c-rxvrMedium

Concrete CMS is Vulnerable to Reflected XSS in Legacy Pagination

Published
May 22, 2026
Last Modified
June 24, 2026

🔗 CVE IDs covered (1)

📋 Description

Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Pagination builds pagination links by raw-interpolating its $URL field into href="" (<a href="{$linkURL}" …>). Any authenticated admin or report viewer with access to /dashboard/reports/forms/legacy who clicks the crafted URL fires the payload in their session.

🎯 Affected products1

  • composer/concrete5/concrete5:< 9.5.1

🔗 References (3)