|
3151
|
4.9 |
MEDIUM
Network
|
-
|
-
|
OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting interface at /admin/Scripting that allows authenticated administrators to read arbitrary files by supplying…
|
CWE-22
Path Traversal
|
CVE-2026-41917
|
2026-05-27 00:16 |
2026-05-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3152
|
9.0 |
CRITICAL
Network
|
-
|
-
|
A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifacts` mode is enabled. The authorization logic does not enforce …
|
CWE-862
Missing Authorization
|
CVE-2026-2651
|
2026-05-27 00:16 |
2026-05-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3153
|
5.3 |
MEDIUM
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request /ccm/system/dialogs…
|
CWE-200
Information Exposure
|
CVE-2026-6826
|
2026-05-26 23:59 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3154
|
5.3 |
MEDIUM
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-8204
|
2026-05-26 23:58 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3155
|
8.8 |
HIGH
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/<pkgHandle>. The do_update() method in concrete/controllers/single_page/da…
|
CWE-352
Origin Validation Error
|
CVE-2026-8417
|
2026-05-26 23:57 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3156
|
8.8 |
HIGH
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepare_remote_upgrade/<remoteMPID>. An attacker who controls the remote package ret…
|
CWE-352
CWE-829
Origin Validation Error
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-8426
|
2026-05-26 23:57 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3157
|
8.8 |
HIGH
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php. An attacker who can cause an authenticate…
|
CWE-352
Origin Validation Error
|
CVE-2026-8421
|
2026-05-26 23:57 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3158
|
8.8 |
HIGH
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9.5.0 and below emits a CSRF token in the local_available_update.php view ($token->output('do_update')) but the corresponding do_update() method in concrete/controllers/single_page/dashb…
|
CWE-352
CWE-829
Origin Validation Error
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-8428
|
2026-05-26 23:57 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3159
|
4.3 |
MEDIUM
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and procee…
|
CWE-352
Origin Validation Error
|
CVE-2026-7882
|
2026-05-26 23:56 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3160
|
4.3 |
MEDIUM
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with edit_file_contents permission is CSRF'd into publishing an attacker-chosen previously-uploaded version…
|
CWE-352
Origin Validation Error
|
CVE-2026-8340
|
2026-05-26 23:55 |
2026-05-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
