Platform
php
Component
concrete5/concrete5
Fixed in
9.4.8
9.4.8
CVE-2026-3241 is a critical Remote Code Execution (RCE) vulnerability found in the openclaw component. This flaw allows non-admin operators to self-claim the operator.admin scope, bypassing pairing and potentially gaining full control of the system. The vulnerability impacts versions of openclaw up to and including 2026.3.24, and a fix is available in version 2026.3.25.
CVE-2026-3241 affects Concrete CMS versions prior to 9.4.8, presenting a Cross-Site Scripting (XSS) vulnerability within the 'Legacy Form' block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). This payload is then executed in the browser of any user who views the page containing the form. The potential impact includes cookie theft, redirection to malicious websites, modification of page content, or the execution of arbitrary code in the context of the affected user. The vulnerability's severity is rated CVSS 4.8.
The vulnerability is exploited through manipulation of the options in a 'Checkbox List', 'Radio Buttons', or 'Select Box' question within a 'Legacy Form'. An attacker with form editing privileges can inject malicious JavaScript code into these options. When a user visits the page containing the form, their browser executes the injected JavaScript code, allowing the attacker to perform malicious actions. The persistent nature of the payload means the vulnerability remains active until the fix is applied.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The solution to mitigate CVE-2026-3241 is to update Concrete CMS to version 9.4.8 or higher. This update corrects the XSS vulnerability by properly validating and escaping user input within the 'Legacy Form' block. It is highly recommended to apply the update as soon as possible to protect your website from potential attacks. Additionally, review user permissions to ensure only authorized users have access to create and edit forms. Implementing a robust password policy and enabling two-factor authentication can help prevent unauthorized access to Concrete CMS administration.
Update Concrete CMS to version 9.4.8 or higher. This version contains the fix for the stored XSS vulnerability in the "Legacy Form" block. The update will eliminate the possibility of injecting malicious JavaScript code through multiple-choice question options.
Vulnerability analysis and critical alerts directly to your inbox.
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
If you are using a version of Concrete CMS prior to 9.4.8 and have the 'Legacy Form' block enabled, your site is vulnerable. Apply the update as soon as possible.
If you suspect your site has been compromised, immediately change all user passwords, review site logs for suspicious activity, and consider restoring from a clean backup.
There is no viable workaround without updating to version 9.4.8 or higher. Disabling the 'Legacy Form' block is a temporary option, but it will limit your site's functionality.
You can find more information about the update to version 9.4.8 on the official Concrete CMS website: [https://www.concretecms.com/](https://www.concretecms.com/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.