An issue exists in Concrete CMS up to and including 8.5.5. There is XSS via Markdown Comments.
concretecms concrete cms