| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | AA | AB | AC | AD | AE | AF | AG | AH | AI | AJ | AK | AL | AM | AN | AO | AP | AQ | AR | AS | AT | AU | AV | AW | AX | AY | AZ | BA | BB | BC | BD | BE | BF | BG | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2 | Concrete CMS DISCLOSED CVEs | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
3 | last updated date: 2026-05-28 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
4 | Affected Versions | CVE | MITRE Title | Concrete Team Information | CVSS v4 Score | CVSS v3.1 Score | Credit | Date Disclosed by Concrete | Date Published by NVD | Notes | ||||||||||||||||||||||||||||||||||||||||||||||||||
5 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
6 | Concrete Team | NIST | ConcreteTeam CVSS v4 vector | NIST CVSS v4 vector | Concrete Team | NIST | ConcreteTeam CVSS v3.1 vector | NIST CVSS v3.1 Vector | ||||||||||||||||||||||||||||||||||||||||||||||||||||
7 | Concrete CMS below 9.5.1 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
8 | Concrete CMS below 9.5.1 | CVE-2026-8134 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing rights can exploit this to include arbitrary readable files on the server. Combined with the file uploader's extension-only validation (which permits PHP code in files saved with image extensions like .png), this can result in authenticated remote code execution. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 9.4 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H Thanks Yonatan Drori (Tenzai) for reporting. | 9.4 | Pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H | Pending | N/A | N/A | N/A | N/A | Yonatan Drori (Tenzai) | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
9 | Concrete CMS below 9.5.1 | CVE-2026-8135 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with privileges to add blocks to an area can bypass the intended protection mechanism (_fromCIF === true), which normally restricts malicious inputs over form POST requests, by leveraging the REST API functionality. Because the REST API parses requests using json_decode(), the string "true" is evaluated as a strict PHP Boolean(true). This bypass allows the attacker to inject a malicious serialized payload into the block's filterFields database column. The payload will subsequently be executed when the block's data is viewed or edited by an administrator leading to complete server takeover (RCE).The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with a vector of CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks Nguyễn Văn Thiện for reporting | 8.9 | Pending | CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H | Pending | N/A | N/A | N/A | N/A | Nguyễn Văn Thiện | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
10 | Concrete CMS below 9.5.1 | CVE-2026-8140 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/<remoteId>. The download() method in concrete/controllers/single_page/dashboard/extend/install.php checks only the canInstallPackages() permission before fetching a remote marketplace package and writing it to the server's DIR_PACKAGES directory. Because the endpoint is a state-changing GET route with no token enforcement, an attacker who can cause an authenticated administrator to visit a crafted page can force an arbitrary marketplace package to be downloaded. In order to be vulnerable, the victim must be passing canInstallPackages() and the site must be connected to the Concrete marketplace. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting. | 7.5 | Pending | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | maru1009 | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
11 | Concrete CMS below 9.5.1 | CVE-2026-8417 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/<pkgHandle>. The do_update() method in concrete/controllers/single_page/dashboard/extend/update.php checks only canInstallPackages() before executing upgradeCoreData() and upgrade() on the named package's controller. Because the endpoint is a state-changing GET route with no token enforcement, an attacker can force an authenticated administrator to trigger a package upgrade via a single cross-site navigation.In order to be vulnerable, the victim must be passing canInstallPackages() and and a target package must already be already installed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting. | 7.5 | Pending | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | maru1009 | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
12 | Concrete CMS below 9.5.1 | CVE-2026-8421 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php. An attacker who can cause an authenticated administrator to visit a crafted page, and who has placed or caused a package to be present under DIR_PACKAGES/<handle>/, can force the installation of that package without any CSRF protection. Package installation executes the package controller's install() method as the web server user, enabling remote code execution. In order to be vulnerable, the victim must be passing canInstallPackages. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting. | 7.5 | Pending | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | maru1009 | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
13 | Concrete CMS below 9.5.1 | CVE-2026-8426 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepare_remote_upgrade/<remoteMPID>. An attacker who controls the remote package returned for a known marketplace item ID can overwrite the package PHP on disk and force its upgrade() method to execute in a single browser navigation. This results in remote code execution as the web server user. In order to be vulnerable, the victim must be passing canInstallPackages, victim site must be connected to the Concrete marketplace; and the attacker controls the package returned for a marketplace item ID already installed on the victim site. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting. | 7.5 | Pending | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | maru1009 | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
14 | Concrete CMS below 9.5.1 | CVE-2026-8428 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below emits a CSRF token in the local_available_update.php view ($token->output('do_update')) but the corresponding do_update() method in concrete/controllers/single_page/dashboard/system/update/update.php never calls $this->token->validate('do_update'). The form is rendered as a POST form, meaning the token reaches the browser, but because the controller discards it without verification, an attacker can craft a cross-site POST that triggers a core CMS update to an attacker-specified version string. In order to be vulnerable, theictim must be passing canUpgrade()anda valid update version must be present under DIR_CORE_UPDATES. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting. | 7.5 | Pending | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | maru1009 | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
15 | Concrete CMS below 9.5.1 | CVE-2026-8350 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove legitimate admins. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Vincent55 for reporting. | 7.5 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Vincent55 | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
16 | Concrete CMS below 9.5.1 | CVE-2026-8197 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name. The OAuth authorize template renders the integration name (admin-controlled) through Concrete's t() translation helper as a sprintf-style format. The <strong>...</strong> wrap is built by PHP string interpolation before t() runs, so the integration name lands in the translated output as raw HTML. A rogue admin could potentially snoop on login submissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Thanks Yonatan Drori (Tenzai) for reporting. | 7.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Yonatan Drori (Tenzai) | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
17 | Concrete CMS below 9.5.1 | CVE-2026-8203 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that executes in the context of any visitor's browser, potentially leading to session hijacking, credential theft, or other malicious actions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Alfin Joseph for reporting. | 7.3 | Pending | CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Alfin Joseph | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
18 | Concrete CMS below 9.5.1 | CVE-2026-6826 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/{fID} with any file ID and receive a list of every page that references that file, including page IDs, handles, and full URLs. This includes pages that are otherwise restricted by permissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.9 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting. | 6.9 | Pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Eldudareeno | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
19 | Concrete CMS below 9.5.1 | CVE-2026-8204 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting. | 6.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Winston Crooker | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
20 | Concrete CMS below 9.5.1 | CVE-2026-8205 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being disclosed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks lalalala5678 for reporting. | 6.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | lalalala5678 | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
21 | Concrete CMS below 9.5.1 | CVE-2026-8236 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/{fID} accepts an integer file ID in the URL and returns internal site structure data (page IDs, versions, URL paths) to anyone who sends a GET request. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting. | 6.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Winston Crooker | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
22 | Concrete CMS below 9.5.1 | CVE-2026-8237 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 is vulnerable to IDOR. The `/ccm/frontend/conversations/message_detail` endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting. | 6.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Eldudareeno | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
23 | Concrete CMS below 9.5.1 | CVE-2026-8238 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/message_page' endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting. | 6.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Tristan Madani | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
24 | Concrete CMS below 9.5.1 | CVE-2026-8239 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/get_rating' endpoint confirms existence and returns rating score for any message by ID. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting. | 6.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Tristan Madani | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
25 | Concrete CMS below 9.5.1 | CVE-2026-7879 | N/A - Concrete CMS is now a CNA | In Concrete CMS 9.5.0 and below, the submit_password() method in concrete/controllers/single_page/download_file.php allows unauthorized file access since downloading permission-restricted files bypasses the view_file permission check. Files without passwords can be downloaded and any user who knows a file's password can download a password protected file regardless of whether they have permission to access the file. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Youssef Eid for reporting | 6.3 | Pending | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Youssef Eid (@youssef3id) | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
26 | Concrete CMS below 9.5.1 | CVE-2026-7881 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express form submissions.Thanks Tristan Madani for reporting. | 6.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Tristan Madani | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
27 | Concrete CMS below 9.5.1 | CVE-2026-8240 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure across every page with a configured summary template, revealing the existence of private, draft, and restricted pages while leaking title, path, description, and author information. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting. | 6.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Winston Crooker | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
28 | Concrete CMS below 9.5.1 | CVE-2026-8337 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unauthenticated attacker can vote in the restricted survey by submitting the restricted optionID through the public survey’s endpoint. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Zer0daySec for reporting | 6.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Zer0daySec (https://github.com/Zee99y) | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
29 | Concrete CMS below 9.5.1 | CVE-2026-8245 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Pagination builds pagination links by raw-interpolating its $URL field into href="" (<a href="{$linkURL}" …>). Any authenticated admin or report viewer with access to `/dashboard/reports/forms/legacy` who clicks the crafted URL fires the payload in their session.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.0 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting | 6 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Yonatan Drori (Tenzai) | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
30 | Concrete CMS below 9.5.1 | CVE-2026-8327 | N/A - Concrete CMS is now a CNA | Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update() without field whitelisting resulting in password change without requiring the current password and also resulting in registered users able to disable the per-user-IP-pinning in the session validator which is meant to detect hijacking. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 5.3 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks 0x4c616e for reporting. | 5.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | 0x4c616e | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
31 | Concrete CMS below 9.5.1 | CVE-2026-7882 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and proceeds with file deletion when the token is invalid or missing. This effectively disables CSRF protection for the file deletion endpoint, allowing cross-site request forgery attacks against users who have permission to edit conversation messages. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with a vector of CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Mandani for reporting. | 2.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Tristan Madani | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
32 | Concrete CMS below 9.5.1 | CVE-2026-7886 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass. The `AddMessage` and `UpdateMessage` conversation controllers accept user-supplied file attachment IDs and load files directly via `$em->find(File::class, $attachmentID)` without checking per-file permissions (`canViewFile()`). A user who can post in any conversation can reference any file in the CMS file manager by its sequential ID, effectively bypassing the file permission system. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with a vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Mandani for reporting. if a site truly has private files, the owner should set up a private storage location outside of the webroot so that permissions can be checked on view as well. That way, even if a authorized user attaches a file, or otherwise links to it, unauthorized users won't be able to view the file. | 2.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Tristan Madani | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
33 | Concrete CMS below 9.5.1 | CVE-2026-7887 | N/A - Concrete CMS is now a CNA | For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. Thanks 0x4c616e for reporting. | 2.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N | Pending | N/A | N/A | N/A | N/A | 0x4c616e | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
34 | Concrete CMS below 9.5.1 | CVE-2026-8340 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with edit_file_contents permission is CSRF'd into publishing an attacker-chosen previously-uploaded version (downgrade to an older version of a file, or activation of a co-editor's unpublished version). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting. | 2.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Winston Crooker | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
35 | Concrete CMS below 9.5.1 | CVE-2026-8347 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity ordering. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting. | 2.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Winston Crooker | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
36 | Concrete CMS below 9.5.1 | CVE-2026-8409 | N/A - Concrete CMS is now a CNA | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete. The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Yonatan Drori (Tenzai) | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
37 | Concrete CMS below 9.5.1 | CVE-2026-8410 | N/A - Concrete CMS is now a CNA | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete. The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Yonatan Drori (Tenzai) | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
38 | Concrete CMS below 9.5.1 | CVE-2026-8411 | N/A - Concrete CMS is now a CNA | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Yonatan Drori (Tenzai) | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
39 | Concrete CMS below 9.5.1 | CVE-2026-8412 | N/A - Concrete CMS is now a CNA | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Yonatan Drori (Tenzai) | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
40 | Concrete CMS below 9.5.1 | CVE-2026-8413 | N/A - Concrete CMS is now a CNA | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Yonatan Drori (Tenzai) | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
41 | Concrete CMS below 9.5.1 | CVE-2026-8414 | N/A - Concrete CMS is now a CNA | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/duplicate. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Yonatan Drori (Tenzai) | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
42 | Concrete CMS below 9.5.1 | CVE-2026-8415 | N/A - Concrete CMS is now a CNA | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Yonatan Drori (Tenzai) | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
43 | Concrete CMS below 9.5.1 | CVE-2026-8416 | N/A - Concrete CMS is now a CNA | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Yonatan Drori (Tenzai) | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
44 | Concrete CMS below 9.5.1 | CVE-2026-8427 | N/A - Concrete CMS is now a CNA | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Yonatan Drori (Tenzai) | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
45 | Concrete CMS below 9.5.1 | CVE-2026-8432 | N/A - Concrete CMS is now a CNA | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Yonatan Drori (Tenzai) | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
46 | Concrete CMS below 9.5.1 | CVE-2026-8433 | N/A - Concrete CMS is now a CNA | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Yonatan Drori (Tenzai) | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
47 | Concrete CMS below 9.5.1 | CVE-2026-8434 | N/A - Concrete CMS is now a CNA | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Yonatan Drori (Tenzai) | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
48 | Concrete CMS below 9.5.1 | CVE-2026-8435 | N/A - Concrete CMS is now a CNA | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2.3 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Yonatan Drori (Tenzai) | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
49 | Concrete CMS below 9.5.1 | CVE-2026-7890 | N/A - Concrete CMS is now a CNA | In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with a vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N. Thanks 0x4c616e for reporting. | 2.1 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | 0x4c616e | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
50 | Concrete CMS below 9.5.1 | CVE-2026-8139 | N/A - Concrete CMS is now a CNA | Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Yonatan Drori (Tenzai) | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
51 | Concrete CMS 9.0.0 to 9.5.0 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
52 | Concrete CMS 9.0.0 to 9.5.0 | CVE-2026-8353 | N/A - Concrete CMS is now a CNA | Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2.1 | Pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N | Pending | N/A | N/A | N/A | N/A | Yonatan Drori (Tenzai) | 2026-05-19 | 2026-05-21 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
53 | Concrete CMS below 9.4.8 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
54 | Concrete CMS below 9.4.8 | CVE-2026-3452 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks. | 8.9 | pending | CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H | pending | N/A | N/A | N/A | N/A | YJK (@YJK0805) of ZUSO ART | 2026-03-03 | N/A | N/A | ||||||||||||||||||||||||||||||||||||||||||||
55 | Concrete CMS below 9.4.8 | CVE-2026-3240 | See Concrete Team information - Concrete CMS is now a CNA | In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy Form can perform a stored XSS attack towards high-privilege accounts via the Question field. | 4.8 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | pending | N/A | N/A | N/A | N/A | minhnn42, namdi and quanlna2 from VCSLab-Viettel Cyber Security | 2026-03-03 | N/A | N/A | ||||||||||||||||||||||||||||||||||||||||||||
56 | Concrete CMS below 9.4.8 | CVE-2026-3241 | See Concrete Team information - Concrete CMS is now a CNA | In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the Legacy Form block. An authenticated user with permissions to create or edit forms can inject a persistent JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). This payload is then executed in the browser of any user who views the page containing the form. | 4.8 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | pending | N/A | N/A | N/A | N/A | M3dium | 2026-03-03 | N/A | N/A | ||||||||||||||||||||||||||||||||||||||||||||
57 | Concrete CMS below 9.4.8 | CVE-2026-3242 | See Concrete Team information - Concrete CMS is now a CNA | In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. | 4.8 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | pending | N/A | N/A | N/A | N/A | M3dium | 2026-03-03 | N/A | N/A | ||||||||||||||||||||||||||||||||||||||||||||
58 | Concrete CMS below 9.4.8 | CVE-2026-3244 | See Concrete Team information - Concrete CMS is now a CNA | In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page names that executes when users search for and view those pages in search results. | 4.8 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | pending | N/A | N/A | N/A | N/A | zolpak | 2026-03-03 | N/A | N/A | ||||||||||||||||||||||||||||||||||||||||||||
59 | Concrete CMS below 9.4.8 | CVE-2026-2994 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can lead to a security bypass since changes are saved prior to checking the CSRF token. | 2.3 | pending | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | pending | N/A | N/A | N/A | N/A | z3rco | 2026-03-03 | N/A | N/A | ||||||||||||||||||||||||||||||||||||||||||||
60 | Concrete CMS 9 to 9.4.2 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
61 | Concrete CMS 9 to 9.4.2 | CVE-2025-8571 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions. | 4.8 | N/A | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N | N/A | 2025-08-05 | 2025-08-05 | ||||||||||||||||||||||||||||||||||||||||||||||||||
62 | Concrete CMS 9 to 9.4.2 | CVE-2025-8573 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page. Version 8 was not affected. A rogue admin could set up a malicious folder containing XSS to which users could be directed upon login. | 2.0 | N/A | CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | N/A | N/A | N/A | N/A | N/A | sealldev (Noah Cooper) | 2025-08-05 | 2025-08-05 | |||||||||||||||||||||||||||||||||||||||||||||
63 | Concrete CMS 9 to 9.4.2 and versions below 8.5.21 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
64 | Concrete CMS 9 to 9.4.2 and versions below 8.5.21 | CVE-2025-8571 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions. | 4.8 | N/A | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N | N/A | N/A | N/A | N/A | N/A | sealldev (Noah Cooper) | 2025-08-05 | 2025-08-05 | |||||||||||||||||||||||||||||||||||||||||||||
65 | Concrete CMS 8 below 8.5.20 Does | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
66 | Concrete CMS below 8.5.20 | Advisory only | n/a | Advisory Only to update to 8.5.20 if using Microsoft OS. Unsafe Storage of API Keys when using Microsoft OS because of un-updatable league/oauth2 server dependency. (Does not affect Concrete 9+) | n/a | n/a | n/a | n/a | n/a | n/a | n/a | n/a | Mlocati | 2025-04-01 | n/a | n/a | n/a | |||||||||||||||||||||||||||||||||||||||||||
67 | Concrete CMS 9 below 9.4.0RC2 and below 8.5.20 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
68 | Concrete CMS 9 below 9.4.0RC2 and below 8.5.20 | CVE-2025-3153 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable to CSRF and XSS in the Concrete CMS Address attribute because addresses are not properly sanitized in the output when a country is not specified. Attackers are limited to individuals whom a site administrator has granted the ability to fill in an address attribute. It is possible for the attacker to glean limited information from the site but amount and type is restricted by mitigating controls and the level of access of the attacker. Limited data modification is possible. The dashboard page itself could be rendered unavailable. The fix only sanitizes new data uploaded post update to Concrete CMS 9.4.0RC2. Existing database entries added before the update will still be “live” if there were successful exploits added under previous versions; a database search is recommended. | 5.1 | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L | N/A | Myq Larson | 2025-04-01 | |||||||||||||||||||||||||||||||||||||||||||||||||||
69 | Concrete 9 below 9.4.0 Concrete 8 not affected | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
70 | Concrete 9.0.0 though 9.3.9 | CVE-2025-0660 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS versions 9.0.0 through 9.3.9 are affected by a stored XSS in Folder Function.The "Add Folder" functionality lacks input sanitization, allowing a rogue admin to inject XSS payloads as folder names. Fixed by adding sanitation to the folder selector dropdown output with commit 11bef02 and by fixing folder deletion issues with commit 7c134e9. Versions below 9 are not affected. | 4.8 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N | pending | scored only v4.0 | scored only v4.0 | Alfin Joseph | 2025-03-04 | 2025-03-10 | |||||||||||||||||||||||||||||||||||||||||||||||
71 | Concrete below 9.3.6 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
72 | Concrete below 9.3.6 | no CVE - for informational purposes only | See Concrete Team information - Concrete CMS is now a CNA | Concrete below 9.3.6 does not automatically set security headers for cached pages. Security headers have to be set manually in .htaccess or in the apache / nginx settings | 0 | 0 | N/A - Security informational Updates are not assessed | N/A - Security informational Updates are not assessed | N/A - Security Updates are not assessed | N/A - Security Updates are not assessed | N/A - Security Updates are not assessed | N/A - Security Updates are not assessed | Hissy | 2024-11-05 | N/A | |||||||||||||||||||||||||||||||||||||||||||||
73 | Concrete below 9.3.4 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
74 | Concrete below 9.3.4 | CVE-2024-8660 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS versions 9.0.0 through 9.3.4 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block.Since the "Top Navigator Bar" output was not sufficiently sanitized, a rouge administrator could add a malicious payload that could be executed when targeted users visited the home page.This does not affect versions below 9.0.0 since they do not have the Top Navigation Bar Block. | 4.6 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A | 4.8 | N/A | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | Chu Quoc Khanh (k0i3n) | 2024-09-17 | 2024-09-17 | |||||||||||||||||||||||||||||||||||||||||||||
75 | Cocrete 9 below 9.3.4 Concrete 8 below 8.5.19 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
76 | Cocrete 9 below 9.3.4 Concrete 8 below 8.5.19 | CVE-2024-8661 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS versions 9.0.0 to 9.3.4 and below 8.5.18 are vulnerable to Stored XSS in the "Next&Previous Nav" block. A rogue administrator could add a malicious payload by executing it in the browsers of targeted users. Since the "Next&Previous Nav" block output was not sufficiently sanitized, the malicious payload could be executed in the browsers of targeted users. | 4.6 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A | N/A | N/A | N/A | Chu Quoc Khanh (k0i3n) | 2024-09-16 | 2024-09-16 | |||||||||||||||||||||||||||||||||||||||||||||
77 | Cocrete 9 below 9.3.4 Concrete 8 below 8.5.19 | CVE-2024-7398 | See Concrete Team information - Concrete CMS is now a CNA | Concrete version 9 below 9.3.4 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts. | 4.6 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A | 5.4 | N/A | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Yusuke Uchida | 2024-09-24 | 2024-09-24 | CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC. | ||||||||||||||||||||||||||||||||||||||||||||
78 | Cocrete 9 below 9.3.4 Concrete 8 below 8.5.19 | CVE-2024-8291 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS version 9 below 9.3.4 and versions below 8.5.19 are vulnerable to stored XSS in the Image Editor Background Color. A rogue admin could add malicious code to the Thumbnails/Add Type. | 5.1 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A | 4.8 | N/A | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | Alexey Solovyev (solov9ev) | 2024-09-24 | 2024-09-24 | CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC. | ||||||||||||||||||||||||||||||||||||||||||||
79 | Concrete 9 to 9.3.3 and versions below 8.5.19 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
80 | Concrete 9 to 9.3.3 and versions below 8.5.19 | CVE-2024-8291 | See Concrete Team information - Concrete CMS is now a CNA | Concrete version 9 below 9.3.4 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts. | 5.1 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A | 4.8 | N/A - CVSS v3.2 Obsolete | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | Alexey Solovyev | 08-10-2024 | 2024-08-10 | CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC. | ||||||||||||||||||||||||||||||||||||||||||||
81 | Concrete 9 to 9.3.3 and versions below 8.5.19 | CVE-2024-7398 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in Calendar Event Addition Feature. Users or groups with permission to create event calendars could embed scripts and users or groups with permission to modify event calendars could execute scripts. | 4.6 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A | 5.4 | N/A | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Yusuke Uchida | 2024-08-10 | 2024-08-10 | CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC. | ||||||||||||||||||||||||||||||||||||||||||||
82 | Concrete below 9.3.3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
83 | Concrete below 9.3.3 | no CVE - for informational purposes only | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS version 9.3.3 now enforces the Secure Flag for the CONCRETE cookie if a login request is using https by default. This is in line with industry best practice. If a site is served over http:// and the guest uses http:// to log in, the CONCRETE cookie will not have the Secure flag applied so that the site is usable. Although the patch could not be applied cleanly to version 8, the Secure Flag setting can be configured via the dashboard. Since this is a configuration setting, no CVE is being issued. | 0 | N/A - Security Updates are not assessed | None | N/A | 0 | N/A | None | N/A | Yusuke Uchida | 2024-08-08 | 2024-08-08 | |||||||||||||||||||||||||||||||||||||||||||||
84 | Concrete 9 to 9.3.2 and versions below 8.5.18 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
85 | Concrete 9 to 9.3.2 and versions below 8.5.18 | CVE-2024-4350 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation. | 5.1 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A | 4.8 | CVSS v3.1 deprecated | CVSS v3.1 deprecated | m3dium | 2024-08-08 | 2024-08-12 | CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC. | ||||||||||||||||||||||||||||||||||||||||||||
86 | Concrete 9 to 9.3.2 and versions below 8.5.18 | CVE-2024-7394 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS ingetAttributeSetName(). A rogue administrator could inject malicious code. | 4.6 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | 2.0 | pending | AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N | CVSS v3.1 deprecated | m3dium | 2024-08-08 | 2024-08-08 | CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC. | ||||||||||||||||||||||||||||||||||||||||||||
87 | Concrete 9 to 9.3.2 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
88 | Concrete 9 to 9.3.2 (versions below 9 not affected) | CVE-2024-4353 | See Concrete Team information - Concrete CMS is now a CNA | Stored XSS in Generate Board Name Input Field : Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator have the capability to inject malicious JavaScript code. | 4.6 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A- CVSS v3.1 deprecated | pending | CVSS v3.1 deprecated | CVSS v3.1 deprecated | fhAnso | 2024-08-01 | 2024-08-01 | CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC. | ||||||||||||||||||||||||||||||||||||||||||||
89 | Concrete 9 to 9.3.2 (versions below 9 not affected) | CVE-2024-7512 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. A rogue administrator could inject malicious code. | 4.6 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A- CVSS v3.1 deprecated | 4.8 | CVSS v3.1 deprecated | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | m3dium | 2024-08-09 | 2024-08-12 | CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC. | ||||||||||||||||||||||||||||||||||||||||||||
90 | Concrete 9 to 9.2.7 and Concrete 8 below 8.5.16 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
91 | Concrete 9 to 9.2.7 and Concrete 8 below 8.5.16 | CVE-2024-3180 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 is vulnerable to Stored XSS in blocks of type file. Prior to fix, stored XSS could be caused by a rogue administrator adding malicious code to the link-text field when creating a block of type file. | N/A | N/A | N/A | N/A | 3.1 | pending | AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L | CVSS v3.1 deprecated | Alexey Solovyev | 2024-03-04 | 2024-04-03 | |||||||||||||||||||||||||||||||||||||||||||||
92 | Concrete 9 to 9.2.7 and Concrete 8 below 8.5.16 | CVE-2024-3181 | See Concrete Team information - Concrete CMS is now a CNA | Stored XSS in the Search Field. Prior to the fix, stored XSS could be executed by an administrator changing a filter to which a rogue administrator had previously added malicious code. | N/A | N/A | N/A | N/A | 3.1 | pending | AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L | CVSS v3.1 deprecated | Alexey Solovyev | 2024-04-03 | 2024-04-03 | |||||||||||||||||||||||||||||||||||||||||||||
93 | Concrete 9 to 9.2.6 (versions below 9 not affected) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
94 | Concrete 9 to 9.2.6 | CVE-2024-2179 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Name field which might be executed when users visit the affected page. | N/A | N/A | N/A | N/A | 2.2 | pending | AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N | Luca Fuda | 2024-03-05 | 2024-03-05 | ||||||||||||||||||||||||||||||||||||||||||||||
95 | Concrete 9 to 9.2.5 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
96 | Concrete 9.0.0 to 9.2.5 | CVE-2024-1245 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description attributes and, when another administrator opens the same file for editing, the malicious code could execute. | N/A | N/A | N/A | N/A | 2.4 | 4.8 | AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N | AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N | Poto Gabor | 2024-02-06 | 2024-02-09 | |||||||||||||||||||||||||||||||||||||||||||||
97 | Concrete 9.0.0 to 9.2.5 | CVE-2024-1246 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the website user’s browser. This does not affect Concrete versions prior to version 9. | N/A | N/A | N/A | N/A | 2 | 4.8 | AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | cupc4k3 | 2024-02-06 | 2024-02-09 | |||||||||||||||||||||||||||||||||||||||||||||
98 | Concrete 9.0.0 to 9.2.5 | CVE-2024-1247 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the affected page. Concrete versions below 9 do not include group types so they are not affected by this vulnerability. | N/A | N/A | N/A | N/A | 2 | 4.8 | AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | cupc4k3 | 2024-02-06 | 2024-02-09 | |||||||||||||||||||||||||||||||||||||||||||||
99 | Concrete 9.2.0 through 9.2.2 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
100 | Concrete 9.2.0 through 9.2.2 | CVE-2023-44762 | A Cross Site Scripting (XSS) vulnerability in Concrete CMS from versions 9.2.0 to 9.2.2 allows an attacker to execute arbitrary code via a crafted script to the Tags from Settings - Tags | A Cross Site Scripting (XSS) vulnerability in Concrete CMS version 9.2 through 9.2.2 allows an attacker to execute arbitrary code via a crafted script to the Tags from Settings - Tag. The file this touches is in Bedrock, using a custom library the project wrote for version 9.2.0. | N/A | N/A | N/A | N/A | did not rank. Found in wild. | 5.4 | did not rank. Found in wild. | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Did not communicate with Concrete | Found in wild. | 2023-10-06 | N/A | ||||||||||||||||||||||||||||||||||||||||||||