|
51
|
- |
|
-
|
-
|
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete. The The Concrete CMS security team gave this vulnerability a CVSS v.4.…
New
|
CWE-352
CWE-1275
Origin Validation Error
Sensitive Cookie with Improper SameSite Attribute
|
CVE-2026-8410
|
2026-05-22 07:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
52
|
- |
|
-
|
-
|
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete. The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 sco…
New
|
CWE-352
CWE-1275
Origin Validation Error
Sensitive Cookie with Improper SameSite Attribute
|
CVE-2026-8409
|
2026-05-22 07:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
53
|
- |
|
-
|
-
|
Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unau…
New
|
CWE-565
CWE-639
Reliance on Cookies without Validation and Integrity Checking
Authorization Bypass Through User-Controlled Key
|
CVE-2026-8337
|
2026-05-22 07:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
54
|
- |
|
-
|
-
|
Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo…
New
|
CWE-269
CWE-620
CWE-915
Improper Privilege Management
Unverified Password Change
Improperly Controlled Modification of Dynamically-Determined Object Attributes
|
CVE-2026-8327
|
2026-05-22 07:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
55
|
- |
|
-
|
-
|
Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Pagination builds pagination links by raw-interpolating its $URL fi…
New
|
CWE-83
Improper Neutralization of Script in Attributes in a Web Page
|
CVE-2026-8245
|
2026-05-22 07:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
56
|
- |
|
-
|
-
|
Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure across every page with a configured summary template, revealing the existence of private, draft, and restricted …
New
|
CWE-284
Improper Access Control
|
CVE-2026-8240
|
2026-05-22 07:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
57
|
- |
|
-
|
-
|
Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/get_rating' endpoint confirms existence and returns rating score for any message by ID. The Concrete CMS security …
New
|
CWE-862
Missing Authorization
|
CVE-2026-8239
|
2026-05-22 07:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
58
|
- |
|
-
|
-
|
Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/message_page' endpoint returns the full content of any conversation message. An unauthenticated attacker can enume…
New
|
CWE-862
Missing Authorization
|
CVE-2026-8238
|
2026-05-22 07:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
59
|
- |
|
-
|
-
|
Concrete CMS 9.5.0 and below is vulnerable to IDOR. The `/ccm/frontend/conversations/message_detail` endpoint returns the full content of any conversation message. An unauthenticated attacker can enu…
New
|
CWE-862
Missing Authorization
|
CVE-2026-8237
|
2026-05-22 07:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
60
|
- |
|
-
|
-
|
Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/{fID} accepts an integer file ID in the URL and returns int…
New
|
CWE-862
Missing Authorization
|
CVE-2026-8236
|
2026-05-22 07:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
