What is GHSA-q9fm-mpg8-8jqm?

GHSA-q9fm-mpg8-8jqm is a security advisory published by GitHub Security Advisories with Low severity. Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme....

Which CVE IDs does GHSA-q9fm-mpg8-8jqm cover?

GHSA-q9fm-mpg8-8jqm covers the following CVE IDs: CVE-2026-8353. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-q9fm-mpg8-8jqm?

GHSA-q9fm-mpg8-8jqm has a CVSS v3 base score of 4.8, published by GitHub Security Advisories.

GHSA-q9fm-mpg8-8jqmLowCVSS 4.8

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme....

Vendor

GitHub Security Advisories

Published

May 26, 2026

Last Modified

May 26, 2026

🔗 CVE IDs covered (1)

CVE-2026-8353 →

📋 Description

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

🔗 References (3)

https://nvd.nist.gov/vuln/detail/CVE-2026-8353
https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes
https://github.com/advisories/GHSA-q9fm-mpg8-8jqm