External risk intelligence

Concrete CMS allows attackers to steal login data through a flaw in its OAuth integration.

CVE advisorySeverity: HIGH (CVSS 7.3)

CVE-2026-8197

Concrete CMS versions 9.5.0 and below have a security flaw in their OAuth integration that could let an administrator see sensitive login information from users.

4Halo Surface Signal

Cross-site Scripting

Concretecms Concrete Cms

9.5.0 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2026-8197

Concrete CMS is a web content management system commonly deployed as an internet-facing web application. This vulnerability specifically affects the OAuth integration and administrative interface, which are components of a web-accessible platform intended for remote content management and user authentication.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in Concrete CMS allows a malicious administrator to inject malicious HTML into the system, potentially leading to unauthorized access to user login data. This could happen if an attacker gains administrative privileges and manipulates the OAuth integration name, which is then displayed to users during login.

  • Rogue administrator can spy on logins.
  • Affects systems using OAuth.
  • Requires administrator access.

Attack Path

How an attacker could exploit the issue

A malicious administrator can exploit this vulnerability by entering specially crafted HTML into the OAuth integration name field. This crafted HTML will then be rendered on pages that display the integration name, allowing the attacker to inject malicious scripts that can steal session cookies or redirect users.

  • Requires administrative access.
  • Exploits OAuth integration name field.
  • Target relies on admin actions.

Live Threat

Current exploitation, exposure, and threat context

This stored XSS vulnerability in Concrete CMS, affecting OAuth integration names, presents a moderate threat. While requiring administrative control to initially exploit, the vulnerability could allow a malicious administrator to snoop on login submissions through crafted integration names. The exploit requires specific conditions, such as a compromised administrative account and a user interaction to trigger the XSS.

  • Requires admin access for setup.
  • User interaction needed for exploitation.
  • Vulnerability is older with no recent exploitation signals.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize reviewing logs for signs of unauthorized administrative access or attempts to exploit the OAuth integration for data exfiltration, given the high impact and critical nature of stored XSS in this context. Focus immediate efforts on identifying and isolating any Concrete CMS instances running version 9.5.0 or below.

  • Audit admin users and OAuth configurations.
  • Isolate or take offline affected services.
  • Monitor for suspicious administrative activity.

Frequently asked questions

What is Concrete CMS and what is its primary function?

Concrete CMS is a web content management system designed for building and managing websites. It empowers users to create, edit, and organize website content, manage user access, and integrate diverse functionalities, making it a flexible solution for web development and administration.

What type of security weakness does CVE-2026-8197 reveal in Concrete CMS?

CVE-2026-8197 exposes a Stored Cross-Site Scripting (XSS) vulnerability. This weakness allows malicious code injection, which can then be served to other users. An attacker could potentially intercept login submissions by manipulating the OAuth integration name.

How can a malicious administrator exploit the OAuth integration name in Concrete CMS?

A rogue administrator can insert malicious HTML into the OAuth integration name field. This input is rendered on pages displaying the integration name, enabling the attacker to inject scripts that may steal session cookies or redirect users. This requires administrative privileges to execute.

What is the relevance of CVE-2026-8197, considering its impact and exposure?

This stored XSS vulnerability in Concrete CMS, affecting OAuth integration names, presents a significant threat. Its network-based attack vector and high severity mean it is classified as external. The CVSS v4.0 score is 7.3, indicating a considerable risk, especially as it allows for potential interception of sensitive login data.

What are the recommended immediate actions for systems affected by this vulnerability?

It is crucial to immediately identify Concrete CMS instances running version 9.5.0 or earlier. Administrators should meticulously audit their systems for any signs of unauthorized administrative access or suspicious activity related to OAuth configurations. Isolating affected services or taking them offline temporarily is also advised until the system can be updated.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified