Concrete Cms
46 CVEsCVE IDSeverityProduct / summaryPublished
CVE-2026-10721
HIGH 8.4
Concrete Cms — Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, …
2026-06-10
CVE-2026-7888
HIGH 8.4
Concrete Cms — Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form b…
2026-06-03
CVE-2026-8340
LOW 2.3
Concrete Cms — Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with edit_file_con…
2026-05-22
CVE-2026-8347
LOW 2.3
Concrete Cms — Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reor…
2026-05-22
CVE-2026-8353
LOW 2.1
Concrete Cms — Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue edito…
2026-05-22
CVE-2026-6826
MEDIUM 6.9
Concrete Cms — Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission ch…
2026-05-21
CVE-2026-7879
MEDIUM 6.3
Concrete Cms — In Concrete CMS 9.5.0 and below, the submit_password() method in concrete/controllers/single_page/download_fi…
2026-05-21
CVE-2026-7881
MEDIUM 6.3
Concrete Cms — Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail…
2026-05-21
CVE-2026-7882
LOW 2.3
Concrete Cms — Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check …
2026-05-21
CVE-2026-7886
LOW 2.3
Concrete Cms — Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter whi…
2026-05-21
CVE-2026-7887
LOW 2.3
Concrete Cms — For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uI…
2026-05-21
CVE-2026-7890
LOW 2.1
Concrete Cms — In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches i…
2026-05-21
CVE-2026-8134
CRITICAL 9.4
Concrete Cms — Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlC…
2026-05-21
CVE-2026-8135
HIGH 8.9
Concrete Cms — Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring…
2026-05-21
CVE-2026-8139
LOW 2
Concrete Cms — Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectio…
2026-05-21
CVE-2026-8140
HIGH 7.5
Concrete Cms — Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/in…
2026-05-21
CVE-2026-8197
HIGH 7.3
Concrete Cms — Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name. The OAuth authorize templ…
2026-05-21
CVE-2026-8203
HIGH 7.3
Concrete Cms — Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanit…
2026-05-21
CVE-2026-8204
MEDIUM 6.3
Concrete Cms — Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which…
2026-05-21
CVE-2026-8205
MEDIUM 6.3
Concrete Cms — Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_even…
2026-05-21
CVE-2026-8236
MEDIUM 6.3
Concrete Cms — Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /…
2026-05-21
CVE-2026-8237
MEDIUM 6.3
Concrete Cms — Concrete CMS 9.5.0 and below is vulnerable to IDOR. The `/ccm/frontend/conversations/message_detail` endpoint …
2026-05-21
CVE-2026-8238
MEDIUM 6.3
Concrete Cms — Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/message_page' endpoint re…
2026-05-21
CVE-2026-8239
MEDIUM 6.3
Concrete Cms — Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/get_rating' endpoint conf…
2026-05-21
CVE-2026-8240
MEDIUM 6.3
Concrete Cms — Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure across every page with …
2026-05-21
CVE-2026-8245
MEDIUM 6
Concrete Cms — Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection.…
2026-05-21
CVE-2026-8327
MEDIUM 5.3
Concrete Cms — Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-harden…
2026-05-21
CVE-2026-8337
MEDIUM 6.3
Concrete Cms — Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be confi…
2026-05-21
CVE-2026-8350
HIGH 7.5
Concrete Cms — Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can …
2026-05-21
CVE-2026-8409
LOW 2.3
Concrete Cms — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/…
2026-05-21
CVE-2026-8410
LOW 2.3
Concrete Cms — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/…
2026-05-21
CVE-2026-8411
LOW 2.3
Concrete Cms — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/…
2026-05-21
CVE-2026-8412
LOW 2.3
Concrete Cms — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog…
2026-05-21
CVE-2026-8413
LOW 2.3
Concrete Cms — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/…
2026-05-21
CVE-2026-8414
LOW 2.3
Concrete Cms — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/…
2026-05-21
CVE-2026-8415
LOW 2.3
Concrete Cms — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/…
2026-05-21
CVE-2026-8416
LOW 2.3
Concrete Cms — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend…
2026-05-21
CVE-2026-8417
HIGH 7.5
Concrete Cms — Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/up…
2026-05-21
CVE-2026-8421
HIGH 7.5
Concrete Cms — Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/control…
2026-05-21
CVE-2026-8426
HIGH 7.5
Concrete Cms — Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/up…
2026-05-21
CVE-2026-8427
LOW 2.3
Concrete Cms — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend…
2026-05-21
CVE-2026-8428
HIGH 7.5
Concrete Cms — Concrete CMS 9.5.0 and below emits a CSRF token in the local_available_update.php view ($token->output('do_upd…
2026-05-21
CVE-2026-8432
LOW 2.3
Concrete Cms — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend…
2026-05-21
CVE-2026-8433
LOW 2.3
Concrete Cms — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend…
2026-05-21
CVE-2026-8434
LOW 2.3
Concrete Cms — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend…
2026-05-21
CVE-2026-8435
LOW 2.3
Concrete Cms — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend…
2026-05-21