Medium severity4.3NVD Advisory· Published May 21, 2026· Updated May 22, 2026
CVE-2026-7881
CVE-2026-7881
Description
Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express form submissions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
concrete5/concrete5Packagist | < 9.5.1 | 9.5.1 |
Affected products
3Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-chfm-cm6h-q5x7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-7881ghsaADVISORY
- documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notesnvdRelease NotesWEB
News mentions
0No linked articles in our index yet.