9.4.8 Release Notes

Edit

Improvements?

Let us know by posting here.

Behavioral Improvements

  • Improved performance on sites with large amounts of permission assignments.

Security Updates

  • All security fixes below are for Concrete CMS version 9 only. There will be no fixes for version 8.
  • Fixed CVE-2026-3452 by making columns and filterFields starts from empty with commit 1286. Prior to the fix, an authenticated administrator could store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks making Concrete CMS vulnerable to remote code execution. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks YJK of ZUSO ART for reporting H1 3549050.
  • Fixed CVE-2026-3244 with commit 12826 for H1 3542571. Prior to the fix, a stored cross-site scripting (XSS) vulnerability existed in the search block where page names and content were rendered without proper HTML encoding in search results. Authenticated administrators were able to inject malicious JavaScript through page names which executed when users searched for and viewed those pages in search results. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks zolpak for reporting HackerOne 3542571.
  • Fixed CVE-2026-3242 with commit 12826 for H1 3451125 to prevent administrators from being able to add stored XSS via the Switch Language block.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting HackerOne 3451125
  • Fixed CVE-2026-3241 with commit 12826 for H1 3456482 to prevent administrators from being able to add cross-site scripting (XSS) into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box) in the "Legacy Form" block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting H1 3456482.
  • Fixed CVE-2026-3240 with commit 12826 for H1 3451114 to prevent an editor from being able to use the Question field in the element Legacy form from being able to inject stored XSS. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Thanks minhnn42, namdi, and quanlna2 from VCSLab-Viettel Cyber Security for reporting H1 3451114.
  • Fixed CVE-2026-2994 with commit 12826 for H1 3437650 to ensure the CSRF token is checked before changes to the group_id parameter are saved when using the Anti-Spam Allowlist Group Configuration. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z3rco for reporting H1 3437650.