|
2161
|
8.8 |
HIGH
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple(). The Concrete CMS security team gave this vulnerability a CVSS v.4…
|
CWE-352
CWE-1275
Origin Validation Error
Sensitive Cookie with Improper SameSite Attribute
|
CVE-2026-8434
|
2026-05-27 02:59 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2162
|
6.5 |
MEDIUM
Network
|
golang
|
crypto
|
An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users.…
|
CWE-924
Improper Enforcement of Message Integrity During Transmission in a Communication Channel
|
CVE-2026-39827
|
2026-05-27 02:58 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2163
|
5.3 |
MEDIUM
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being…
|
CWE-425
Direct Request ('Forced Browsing')
|
CVE-2026-8205
|
2026-05-27 02:43 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2164
|
8.8 |
HIGH
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access …
|
CWE-863
Incorrect Authorization
|
CVE-2026-8350
|
2026-05-27 02:42 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2165
|
5.4 |
MEDIUM
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnera…
|
CWE-79
Cross-site Scripting
|
CVE-2026-8139
|
2026-05-27 02:41 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2166
|
4.3 |
MEDIUM
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/{fID} accepts an integer file ID in the URL and returns int…
|
CWE-862
Missing Authorization
|
CVE-2026-8236
|
2026-05-27 02:37 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2167
|
5.3 |
MEDIUM
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9.5.0 and below is vulnerable to IDOR. The `/ccm/frontend/conversations/message_detail` endpoint returns the full content of any conversation message. An unauthenticated attacker can enu…
|
CWE-862
Missing Authorization
|
CVE-2026-8237
|
2026-05-27 02:34 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2168
|
5.3 |
MEDIUM
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/message_page' endpoint returns the full content of any conversation message. An unauthenticated attacker can enume…
|
CWE-862
Missing Authorization
|
CVE-2026-8238
|
2026-05-27 02:29 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2169
|
5.3 |
MEDIUM
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/get_rating' endpoint confirms existence and returns rating score for any message by ID. The Concrete CMS security …
|
CWE-862
Missing Authorization
|
CVE-2026-8239
|
2026-05-27 02:25 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2170
|
5.3 |
MEDIUM
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure across every page with a configured summary template, revealing the existence of private, draft, and restricted …
|
CWE-284
NVD-CWE-noinfo
Improper Access Control
|
CVE-2026-8240
|
2026-05-27 02:24 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
