VYPR

Packagist (Composer) package

concrete5/concrete5

pkg:composer/concrete5/concrete5

Vulnerabilities (79)

  • CVE-2026-8426HigMay 21, 2026
    affected < 9.5.1fixed 9.5.1

    Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepare_remote_upgrade/. An attacker who controls the remote package returned for a known marketplace item ID can overwrite the package PHP on disk and f

  • CVE-2026-8350HigMay 21, 2026
    affected < 9.5.1fixed 9.5.1

    Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group an

  • CVE-2026-8205MedMay 21, 2026
    affected < 9.5.1fixed 9.5.1

    Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being disclosed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 s

  • CVE-2026-8204MedMay 21, 2026
    affected < 9.5.1fixed 9.5.1

    Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data. The Concrete CMS security team gave this

  • CVE-2026-8203MedMay 21, 2026
    affected < 9.5.1fixed 9.5.1

    Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that executes in the context of any visitor's browser, potentially leading to session hijacki

  • CVE-2026-8197MedMay 21, 2026
    affected < 9.5.1fixed 9.5.1

    Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name. The OAuth authorize template renders the integration name (admin-controlled) through Concrete's t() translation helper as a sprintf-style format. The ... wrap is built by PHP str

  • CVE-2026-30662Mar 24, 2026
    affected <= 9.4.7

    ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creating zip archives. It uses 'ZipArchive::addFromString' combined with 'file_get_co

  • CVE-2026-2994Mar 4, 2026
    affected < 9.4.8fixed 9.4.8

    Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave

  • CVE-2026-3240Mar 4, 2026
    affected < 9.4.8fixed 9.4.8

    In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector

  • CVE-2026-3241Mar 4, 2026
    affected < 9.4.8fixed 9.4.8

    In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a

  • CVE-2026-3242Mar 4, 2026
    affected < 9.4.8fixed 9.4.8

    In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block.  The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N.  Thanks M3di

  • CVE-2026-3244Mar 4, 2026
    affected < 9.4.8fixed 9.4.8

    In Concrete CMS below version 9.4.8, A stored cross-site scripting (XSS) vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScri

  • CVE-2026-3452Mar 4, 2026
    affected < 9.4.8fixed 9.4.8

    Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are

  • CVE-2025-8571Aug 5, 2025
    affected < 8.5.21fixed 8.5.21

    Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (

  • CVE-2025-8573Aug 5, 2025
    affected >= 9.0.0RC1, < 9.4.3fixed 9.4.3

    Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page.  Version 8 was not affected. A rogue admin could set up a malicious folder containing XSS to which users could be directed upon login. The Concrete CMS security team gav

  • CVE-2025-3153Apr 3, 2025
    affected >= 9.0.0, < 9.4.0RC2fixed 9.4.0RC2

    Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable to CSRF and XSS in the Concrete CMS Address attribute because addresses are not properly sanitized in the output when a country is not specified.  Attackers are limited to individuals whom a site admin

  • CVE-2025-0660Mar 10, 2025
    affected < 9.4.0RC1fixed 9.4.0RC1

    Concrete CMS versions 9.0.0 through 9.3.9 are affected by a stored XSS in Folder Function.The "Add Folder" functionality lacks input sanitization, allowing a rogue admin to inject XSS payloads as folder names.  The Concrete CMS security team gave this vulnerability a CVSS 4.0 Sco

  • CVE-2024-7398Sep 24, 2024
    affected >= 9.0.0, < 9.3.4fixed 9.3.4

    Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users

  • CVE-2024-8291Sep 24, 2024
    affected >= 9.0.0, < 9.3.4fixed 9.3.4

    Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in Image Editor Background Color.  A rogue admin could add malicious code to the Thumbnails/Add-Type. The Concrete CMS Security Team gave this a CVSS v4 score of 5.1 with vector https://www.first

  • CVE-2024-8660Sep 17, 2024
    affected >= 9.0.0, < 9.3.3fixed 9.3.3

    Concrete CMS versions 9.0.0 through 9.3.3 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block. Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted use

Page 1 of 4