VYPR
Medium severity5.3NVD Advisory· Published May 21, 2026· Updated May 26, 2026

CVE-2026-6826

CVE-2026-6826

Description

Concrete CMS 9.5.0 and below  is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller.  Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/{fID} with any file ID and receive a list of every page that references that file, including page IDs, handles, and full URLs. This includes pages that are otherwise restricted by permissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.9 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
concrete5/concrete5Packagist
< 9.5.19.5.1

Affected products

3
  • Concrete5/Concrete5inferred3 versions
    <=9.5.0+ 2 more
    • (no CPE)range: <=9.5.0
    • cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*range: <9.5.1
    • (no CPE)range: <=9.5.0

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.