Concrete CMS: 25 CVEs Disclosed Together, 12 High-Severity CSRF Bugs Lead the Batch
Concrete CMS ships 9.5.1 to patch 25 vulnerabilities — including 12 CSRF bugs, IDOR leaks of private messages, and XSS flaws — all affecting versions 9.0 through 9.5.0.
Key findings
- 25 CVEs disclosed together for Concrete CMS 9.x up to 9.5.0
- 12 high-severity CSRF bugs in file-management and dialog controllers
- IDOR flaws expose private conversation messages and page metadata to unauthenticated users
- Password-change bypass (CVE-2026-8327) removes current-password requirement
- Stored XSS in Atomik theme page-name field (CVE-2026-8353) and external-link cvName (CVE-2026-8139)
- All vulnerabilities fixed in Concrete CMS 9.5.1; no active exploitation reported
Concrete CMS shipped a security release on May 21–22, 2026, addressing 25 vulnerabilities spanning cross-site request forgery (CSRF), insecure direct object references (IDOR), stored and reflected cross-site scripting (XSS), and information disclosure — all affecting version 9.x up to 9.5.0. The batch, reported primarily by Yonatan Drori (Tenzai) and the Concrete CMS security team, includes 12 high-severity CSRF flaws and a cluster of IDOR bugs that expose private conversation messages, page metadata, and survey data to unauthenticated attackers.
CSRF cluster dominates the batch
The largest thematic group is a set of 12 CSRF vulnerabilities, each rated High (CVSSv3 8.8) and located in backend file-management and dialog controllers. CVE-2026-8434, CVE-2026-8433, CVE-2026-8432, CVE-2026-8427, and CVE-2026-8416 target file operations such as rescanMultiple(), rescan(), star(), removeFavoriteFolder(), and addFavoriteFolder(). Additional CSRF bugs hit dialog endpoints for Express association reordering (CVE-2026-8415), event duplication (CVE-2026-8414), and bulk page actions — design (CVE-2026-8413), cache (CVE-2026-8412), delete (CVE-2026-8411), and log deletion (CVE-2026-8410, CVE-2026-8409). A separate lower-severity CSRF (CVE-2026-8340, CVSSv3 4.3) allows a victim with edit_file_contents permission to be tricked into approving an attacker-chosen file version.
IDOR and information disclosure bugs
Seven IDOR vulnerabilities make up the next-largest group. CVE-2026-8237, CVE-2026-8238, and CVE-2026-8239 expose the full content and rating of conversation messages via unauthenticated endpoints (/ccm/frontend/conversations/message_detail, message_page, and get_rating), allowing enumeration of messages from restricted pages and the moderation queue. CVE-2026-8236 leaks internal site structure data (page IDs, versions, URL paths) through the file-usage dialog endpoint. CVE-2026-8337 lets an unauthenticated attacker vote in restricted surveys by submitting a restricted option ID through a public survey's endpoint. CVE-2026-8347 enables cross-entity state tampering in the Express association reorder dialog. CVE-2026-8240 discloses page metadata (title, path, description, author) for private, draft, and restricted pages via summary templates.
XSS and authentication bypass
Three XSS flaws were disclosed. CVE-2026-8353 (CVSSv3 4.8) is a stored XSS in the Atomik theme's page-name field, allowing a rogue editor to inject JavaScript that executes for any authenticated user visiting affected account pages. CVE-2026-8139 (CVSSv3 5.4) is a stored XSS in the external-link page cvName field, where updateCollectionAliasExternal bypasses sanitization. CVE-2026-8245 (CVSSv3 5.4) is a reflected XSS in the legacy pagination component, where the $URL field is raw-interpolated into href attributes — exploitable by any authenticated admin or report viewer with access to /dashboard/reports/f. Separately, CVE-2026-8327 (CVSSv3 4.3) allows a password change without reauthorization: the user-profile edit controller passes the entire raw POST array to UserInfo::update() without field whitelisting, bypassing the current-password check and session-hardening.
Patch status and affected versions
All 25 CVEs affect Concrete CMS versions 9.0 through 9.5.0. The Concrete CMS security team has addressed the full batch in version 9.5.1. Users running any 9.x release below 9.5.1 are advised to upgrade immediately. No in-the-wild exploitation has been reported for any of these CVEs as of the disclosure date.
Why this batch matters
While none of the 25 CVEs carry a Critical severity rating, the sheer volume — particularly the 12 CSRF bugs and the unauthenticated IDOR endpoints — significantly expands the attack surface for Concrete CMS sites. The conversation-message enumeration flaws (CVE-2026-8237, CVE-2026-8238) are especially concerning for community or membership sites that rely on private messaging. The password-change bypass (CVE-2026-8327) removes a core authentication control. Site administrators should prioritize the 9.5.1 upgrade and review any custom integrations that interact with the affected file, dialog, and conversation endpoints.