CVE-2022-43556 has been released. XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N The fix for this CVE was in Release 8.5.10 and 9.1.3 but it took a bit for HackerOne to provide and release a CVE for it.