|
71
|
7.5 |
HIGH
Network
|
-
|
-
|
Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand.
Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage.
New
|
CWE-331
Insufficient Entropy
|
CVE-2026-46473
|
2026-05-22 07:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
72
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attack…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-22678
|
2026-05-22 07:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
73
|
- |
|
-
|
-
|
Concrete CMS 9.5.0 and below emits a CSRF token in the local_available_update.php view ($token->output('do_update')) but the corresponding do_update() method in concrete/controllers/single_page/dashb…
New
|
CWE-352
CWE-829
Origin Validation Error
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-8428
|
2026-05-22 06:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
74
|
- |
|
-
|
-
|
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepare_remote_upgrade/<remoteMPID>. An attacker who controls the remote package ret…
New
|
CWE-352
CWE-829
Origin Validation Error
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-8426
|
2026-05-22 06:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
75
|
- |
|
-
|
-
|
Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php. An attacker who can cause an authenticate…
New
|
CWE-352
Origin Validation Error
|
CVE-2026-8421
|
2026-05-22 06:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
76
|
- |
|
-
|
-
|
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/<pkgHandle>. The do_update() method in concrete/controllers/single_page/da…
New
|
CWE-352
Origin Validation Error
|
CVE-2026-8417
|
2026-05-22 06:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
77
|
- |
|
-
|
-
|
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accid…
New
|
-
|
CVE-2026-8352
|
2026-05-22 06:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
78
|
- |
|
-
|
-
|
Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access …
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-8350
|
2026-05-22 06:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
79
|
- |
|
-
|
-
|
Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being…
New
|
CWE-425
Direct Request ('Forced Browsing')
|
CVE-2026-8205
|
2026-05-22 06:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
80
|
- |
|
-
|
-
|
Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot…
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-8204
|
2026-05-22 06:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
