Concrete CMS Security Announcements

Security Update: Fixes for Concrete CMS v9

Wed, 04 Mar 2026 17:20:00 +0000

Concrete CMS 9.4.8 includes security updates addressing vulnerabilities including Remote Code Execution (RCE), Cross-Site Scripting (XSS), and CSRF. Users on version 8 are encouraged to plan migration to version 9.

Security Fixes in Concrete 8.5.21 and CMS 9.4.3

Wed, 06 Aug 2025 18:55:00 +0000

Security Fixes Included in Concrete 8.5.21 and/or CMS 9.4.3

2025-04-03 Concrete CMS Security Advisory - Security fixes in 9.4.0 Release Candidates

Fri, 04 Apr 2025 13:18:00 +0000

Concrete CMS 9.4.0 Release Candidate 1 (RC1) which was released in March 2025 fixed Stored Cross-Site Scripting (XSS)

2025-01-20 Concrete Security Advisory - CVEs upgraded to “Medium”

Tue, 21 Jan 2025 20:55:00 +0000

You might notice that a number of Concrete CMS CVEs have higher CVSS 4.0 risk rankings assigned by the CNA (that’s us!) than the last time you looked at them.

New Concrete CMS CVEs Published in conjunction with releases 9.3.4 and 8.5.19

Fri, 13 Sep 2024 13:10:00 +0000

The following CVEs affecting both version 9 below 9.3.4 and all other concrete versions below 8.5.19 have been sent to MITRE to publish

Concrete CMS Security Fixes with 9.3.3 and 8.5.18

Thu, 08 Aug 2024 15:04:00 +0000

2024-04-03 Concrete CMS New Cross Site Scripting CVEs

Wed, 03 Apr 2024 19:20:00 +0000

We will be publishing a number of CVEs today which were remediated with Concrete CMS versions 8.5.16 and 9.2.8.

2024-03-04 Concrete Security Advisory

Wed, 06 Mar 2024 14:04:00 +0000

The Concrete CMS Team is publishing CVE-2024-2179 with the release of 9.2.7; Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type since there is insufficient validation of administrator provided data for that field.

CKEditor 4.22.1 and Concrete CMS Security Updates

Mon, 12 Feb 2024 14:26:00 +0000

On February 7th, 2024, we received a bug report that the rich text editor in Concrete CMS 8 and 9 was displaying a strange and alarming warning. Learn more about this warning, what it's regarding, how to suppress it and what we're doing about it going forward.

3 New Very Low Concrete CMS CVEs 2024-02-04 Security Advisory

Wed, 07 Feb 2024 14:26:00 +0000

We will be publishing three CVEs for very low vulnerabilities that were reported and fixed in Concrete version 9.2.5. These vulnerabilities affected Concrete version 9 only.

Concrete CMS will Manage Concrete CVEs starting now!

Fri, 05 Jan 2024 14:41:00 +0000

Concrete CMS has just been authorized by the CVE Program as a CVE Numbering Authority (CNA). Concrete CMS will be managing Concrete CMS CVEs created as of today going forward for supported versions of Concrete CMS.

A Comprehensive Overview of CVEs in Supported Versions of Concrete CMS

Fri, 15 Dec 2023 20:41:00 +0000

We are pleased to announce that we are sharing our tracker for the Disclosed Common Vulnerabilities and Exposures (CVEs) affecting supported versions of Concrete CMS.

2023-12-05 Concrete CMS New CVEs and CVE Updates

Wed, 06 Dec 2023 14:35:00 +0000

We are excited to announce the release of Concrete version 9.2.3, as well as an update for Concrete CMS version 8.5, now at version 8.5.14. These releases come with a number of security updates, reinforcing our commitment to the security and reliability of Concrete CMS.

Mitigate League OAuth2 Server Vulnerability

Thu, 23 Nov 2023 20:05:00 +0000

2023-11-09 Security Blog about updated CVEs and new releases

Thu, 09 Nov 2023 01:53:00 +0000

There have been a number of medium and low security vulnerabilities that have been fixed in version 9.2.2.

Security Advisory 2023-10-31 Concrete CMS rejects CVE-2023-44760 and CVE-2023-44766

Tue, 31 Oct 2023 20:01:00 +0000

Security Advisory 2023-10-31 Concrete CMS rejects CVE-2023-44760 and CVE-2023-44766

Security Advisory 2023-10-25 Concrete CMS rejects CVE-2023-44763

Wed, 25 Oct 2023 19:57:00 +0000

Concrete CMS is requesting that MITRE close CVE-2023-44763 which was submitted by a community member without the Concrete CMS Team knowledge.

Security Advisory 2023-05-15 Disputing NIST score for Concrete CMS CVE-2023-28473

Mon, 15 May 2023 21:54:00 +0000

Security Advisory 2023-05-15 Disputing NIST score for Concrete CMS CVE-2023-28473

Concrete CMS Security Advisory 2023-04-20

Thu, 20 Apr 2023 13:56:00 +0000

There have been a number of medium and low security vulnerabilities that have been fixed in version 9 through 9.2. Thanks so much to all the community members who report vulnerabilities following the process outlined on https://www.concretecms.org/security so that they can be triaged and remediated!

Concrete CMS Security Advisory 2022-10-31

Mon, 31 Oct 2022 17:36:00 +0000

See the list of newly published Concrete CMS CVEs affecting Concrete CMS below 8.5.10 and 9.0.0 through 9.1.2 which have been fixed with security updates 8.5.10 and 9.1.3