CVE-2026-8353 Overview
CVE-2026-8353 is a stored cross-site scripting (XSS) vulnerability affecting Concrete CMS versions 9.0 through 9.5.0. The flaw resides in the Atomik theme, where the page name field fails to sanitize user-supplied input. A rogue editor with elevated privileges can inject arbitrary JavaScript that executes in the browser of any authenticated user who visits the affected account pages. Successful exploitation enables session hijacking, credential theft, unauthorized actions performed on behalf of victims, and potential privilege escalation within the CMS. The issue is tracked under CWE-79 and was reported by Yonatan Drori (Tenzai).
Critical Impact
Authenticated editors can persist JavaScript payloads inside page names, executing attacker-controlled code in the sessions of other authenticated users viewing account pages.
Affected Products
- Concrete CMS 9.0 through 9.5.0
- Concrete CMS Atomik theme (default theme component)
- Deployments allowing editor-tier accounts to create or rename pages
Discovery Timeline
- Vulnerability reported by Yonatan Drori (Tenzai) to the Concrete CMS security team
- 2026-05-22 - CVE-2026-8353 published to NVD
- 2026-05-22 - Last updated in NVD database
Technical Details for CVE-2026-8353
Vulnerability Analysis
The vulnerability is a stored XSS flaw in the rendering path of the Atomik theme. When an editor creates or modifies a page, the page name value is persisted to the database without adequate output encoding. The Atomik theme later renders this value within account pages that other authenticated users visit. Because the page name is interpolated into HTML without contextual escaping, any JavaScript embedded in the name executes in the visiting user's browser session.
Exploitation requires high privileges, since only users with editor-level access can create or rename pages. However, once a payload is stored, no further interaction from the attacker is needed. The payload runs against every authenticated user who navigates to an account page containing the malicious name, giving the attacker access to session cookies, anti-CSRF tokens, and the application UI state.
Root Cause
The root cause is missing output sanitization in the Atomik theme templates. User-supplied page names should be escaped using context-appropriate functions such as h() before being emitted into HTML. The vulnerable templates emit the raw value, allowing <script> tags and event-handler attributes embedded in the page name to be parsed as executable markup.
Attack Vector
The attack vector is network-based and requires an authenticated editor account. An attacker with editor privileges creates a page whose name contains a JavaScript payload. When any authenticated user, including administrators, browses an account page that lists or references the malicious page, the script executes under that user's session context. This can be chained to escalate the attacker's privileges by hijacking an administrator session.
No verified public proof-of-concept code is available. Refer to the ConcreteCMS 9.x Release Notes for vendor-provided technical context.
Detection Methods for CVE-2026-8353
Indicators of Compromise
- Page records in the Concrete CMS database containing <script>, onerror=, onload=, or javascript: substrings in the page name field
- Unexpected outbound requests from authenticated browser sessions to external domains shortly after loading account pages
- Unusual administrative actions originating from accounts that did not initiate them, indicating session takeover
Detection Strategies
- Query the Concrete CMS pages table for page names containing HTML metacharacters such as <, >, ", or '
- Inspect web server access logs for HTTP referers pointing to Atomik theme account pages followed by anomalous outbound traffic
- Review audit logs for page-create or page-rename events performed by editor-tier accounts that immediately precede privileged actions
Monitoring Recommendations
- Enable Content Security Policy (CSP) reporting to capture inline script execution attempts on account pages
- Alert on creation of pages whose names contain script-like tokens or encoded payload markers such as < and %3Cscript
- Track editor account activity for unusual page-rename frequency or modifications to pages referenced from account views
How to Mitigate CVE-2026-8353
Immediate Actions Required
- Upgrade Concrete CMS to version 9.5.1 or later, which contains the vendor fix referenced in the 9.5.1 release notes
- Audit existing pages for malicious content in the page name field and sanitize or remove any entries containing executable markup
- Review editor-tier accounts and revoke privileges from accounts that no longer require page creation or rename capabilities
Patch Information
Concrete CMS addressed this issue in version 9.5.1. Full details are documented in the ConcreteCMS 9.x Release Notes. Administrators running any version from 9.0 through 9.5.0 should plan an upgrade. Test the upgrade in a staging environment before promoting to production, as theme customizations may interact with the patched rendering path.
Workarounds
- Restrict editor permissions so that only trusted accounts can create or rename pages until the patch is applied
- Deploy a strict Content Security Policy that disallows inline scripts on account pages to reduce payload execution
- Apply a web application firewall rule that blocks HTML metacharacters and script tokens in the page name parameter on save endpoints
# Example WAF rule pattern to block script payloads in page name submissions
SecRule ARGS:cName "@rx (?i)(<script|onerror=|onload=|javascript:)" \
"id:1026835301,phase:2,deny,status:403,log,msg:'Concrete CMS CVE-2026-8353 XSS attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
