9.4.8 Release Notes
Behavioral Improvements
Improved performance on sites with large amounts of permission assignments.
Security Updates
All security fixes below are for Concrete CMS version 9 only. There will be no fixes for version 8.
Fixed CVE-2026-3452 by making columns and filterFields starts from empty with commit 1286. Prior to the fix, an authenticated administrator could store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks making Concrete CMS vulnerable to remote code execution. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks YJK of ZUSO ART for reporting H1 3549050.
Fixed CVE-2026-3244 with commit 12826 for H1 3542571. Prior to the fix, a stored cross-site scripting (XSS) vulnerability existed in the search block where page names and content were rendered without proper HTML encoding in search results. Authenticated administrators were able to inject malicious JavaScript through page names which executed when users searched for and viewed those pages in search results. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks zolpak for reporting HackerOne 3542571.
Fixed CVE-2026-3242 with commit 12826 for H1 3451125 to prevent administrators from being able to add stored XSS via the Switch Language block.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting HackerOne 3451125
Fixed CVE-2026-3241 with commit 12826 for H1 3456482 to prevent administrators from being able to add cross-site scripting (XSS) into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box) in the "Legacy Form" block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting H1 3456482.
Fixed CVE-2026-3240 with commit 12826 for H1 3451114 to prevent an editor from being able to use the Question field in the element Legacy form from being able to inject stored XSS. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Thanks minhnn42, namdi, and quanlna2 from VCSLab-Viettel Cyber Security for reporting H1 3451114.
Fixed CVE-2026-2994 with commit 12826 for H1 3437650 to ensure the CSRF token is checked before changes to the group_id parameter are saved when using the Anti-Spam Allowlist Group Configuration. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z3rco for reporting H1 3437650.
9.4.7 Release Notes
Behavioral Improvements
YouTube block view now contains iframe code to help YouTube render better under certain stricter web server settings (thanks MarcoKuoni)
We now define operation IDs for API endpoints (thanks hissy)
On the Dashboard > Database Entities page we now show entities that are defined using PHP attributes (not just entities) (thanks mlocati)
Bug Fixes
Fixed: Conversations file attachment icons and file attachment area are not formatted properly.
Fixed: conversation loader shows properly.
Fixed: The close “X” of Workflow pop-up only has Atomik css & doesn’t show up in other theme
Fixed: Subscribe to Conversation "X" button does Unsubscribe/Subscribe button action
Fixed incorrect edit profile validation on username.
Fixed inability to rename a form block’s name through the block editing dialog once it has been added to the page.
Fixed bug when regional jQuery UI languages did not load in time (thanks mlocati)
Developer Updates
Updated dependencies to their latest minor versions.
Security Updates
Patched Symfony Foundation libraries to resolve this security issue: https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass
Updated enshrined/svg-sanitized, which improves security scanning of SVG files (see https://www.cve.org/CVERecord?id=CVE-2025-55166).
9.4.6 Release Notes
New Features
We now check whether the web server appears to be properly configured to support pretty URLs on the URLs and Redirection Dashboard page, and present warnings to the user prior to allowing them to set this configuration value if it appears that it will cause their site to cease rendering (thanks mlocati)
Behavioral Improvements
Added additional logging to pages, files, Express entries/objects, and calendar events.
The “Remove Old Page Versions” task is now more efficient and handles larger data sets much more reliably (thanks biplobice)
We now show seconds in the log entry timestamp.
We now only redirect requests to URLs where trailing slash settings don’t match when using GET requests, rather than all requests (thanks JohnTheFish)
Bug Fixes
Fixed bug that caused container instances in the database to be deleted and recreated on each page load, potentially dramatically increasing DB usage on pages where containers were used.
Fixed bug where reordering Express entries on associations didn’t work under certain conditions.
Fixed: Can not go to pages on other sites from sitemap panel when using multisite (thanks hissy)
Fixed inability to retrieve group details over the REST API.
Fixed: ClassNotFoundError on accessing open api spec (thanks hissy)
Fixed: When using multisite, page drafts can be created within the wrong site (thanks hissy)
Fixed bug where Page List block pagination interface was buggy after update to 9.4.5 under certain conditions.
Fixed: When you hover over the tooltip icon near Image hover of Image Block, the tooltip does not appear (thanks SashaMcr)
Miscellaneous PHP8 fixes and code cleanup (thanks biplobice)
Made some untranslatable strings translatable (thanks wtflm)