Medium severity5.3NVD Advisory· Published May 21, 2026· Updated May 26, 2026
CVE-2026-8337
CVE-2026-8337
Description
Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unauthenticated attacker can vote in the restricted survey by submitting the restricted optionID through the public survey’s endpoint. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Zer0daySec https://github.com/Zee99y for reporting
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
concrete5/concrete5Packagist | < 9.5.1 | 9.5.1 |
Affected products
3Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-8c7c-h7px-267gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-8337ghsaADVISORY
- documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notesnvdRelease NotesWEB
News mentions
1- Concrete CMS: 25 CVEs Disclosed Together, 12 High-Severity CSRF Bugs Lead the BatchVypr Intelligence · May 22, 2026