An issue exists in Concrete CMS up to and including 8.5.5. There is an SVG sanitizer bypass.
concretecms concrete cms