Concrete CMS Patches 25 CVEs, Including 12 High-Severity CSRF Bugs and IDOR Flaws

Concrete CMS shipped a security release on May 21–22, 2026, addressing 25 vulnerabilities spanning cross-site request forgery (CSRF), insecure direct object references (IDOR), stored and reflected cross-site scripting (XSS), and information disclosure — all affecting version 9.x up to 9.5.0. The batch, reported primarily by Yonatan Drori (Tenzai) and the Concrete CMS security team, includes 12 high-severity CSRF flaws and a cluster of IDOR bugs that expose private conversation messages, page metadata, and survey data to unauthenticated attackers.

The largest thematic group is a set of 12 CSRF vulnerabilities, each rated High (CVSSv3 8.8) and located in backend file-management and dialog controllers. CVE-2026-8434, CVE-2026-8433, CVE-2026-8432, CVE-2026-8427, and CVE-2026-8416 target file operations such as rescanMultiple(), rescan(), star(), removeFavoriteFolder(), and addFavoriteFolder(). Additional CSRF bugs hit dialog endpoints for Express association reordering (CVE-2026-8415), event duplication (CVE-2026-8414), and bulk page actions — design (CVE-2026-8413), cache (CVE-2026-8412), delete (CVE-2026-8411), and log deletion (CVE-2026-8410, CVE-2026-8409). A separate lower-severity CSRF (CVE-2026-8340, CVSSv3 4.3) allows a victim with edit_file_contents permission to be tricked into approving an attacker-chosen file version.

Seven IDOR vulnerabilities make up the next-largest group. CVE-2026-8237, CVE-2026-8238, and CVE-2026-8239 expose the full content and rating of conversation messages via unauthenticated endpoints (/ccm/frontend/conversations/message_detail, message_page, and get_rating), allowing enumeration of messages from restricted pages and the moderation queue. CVE-2026-8236 leaks internal site structure data (page IDs, versions, URL paths) through the file-usage dialog endpoint. CVE-2026-8337 lets an unauthenticated attacker vote in restricted surveys by submitting a restricted option ID through a public survey's endpoint. CVE-2026-8347 enables cross-entity state tampering in the Express association reorder dialog. CVE-2026-8240 discloses page metadata (title, path, description, author) for private, draft, and restricted pages via summary templates.

Three XSS flaws were disclosed. CVE-2026-8353 (CVSSv3 4.8) is a stored XSS in the Atomik theme's page-name field, allowing a rogue editor to inject JavaScript that executes for any authenticated user visiting affected account pages. CVE-2026-8139 (CVSSv3 5.4) is a stored XSS in the external-link page cvName field, where updateCollectionAliasExternal bypasses sanitization. CVE-2026-8245 (CVSSv3 5.4) is a reflected XSS in the legacy pagination component, where the $URL field is raw-interpolated into href attributes — exploitable by any authenticated admin or report viewer with access to /dashboard/reports/f. Separately, CVE-2026-8327 (CVSSv3 4.3) allows a password change without reauthorization: the user-profile edit controller passes the entire raw POST array to UserInfo::update() without field whitelisting, bypassing the current-password check and session-hardening.

All 25 CVEs affect Concrete CMS versions 9.0 through 9.5.0. The Concrete CMS security team has addressed the full batch in version 9.5.1. Users running any 9.x release below 9.5.1 are advised to upgrade immediately. No in-the-wild exploitation has been reported for any of these CVEs as of the disclosure date.

While none of the 25 CVEs carry a Critical severity rating, the sheer volume — particularly the 12 CSRF bugs and the unauthenticated IDOR endpoints — significantly expands the attack surface for Concrete CMS sites. The conversation-message enumeration flaws (CVE-2026-8237, CVE-2026-8238) are especially concerning for community or membership sites that rely on private messaging. The password-change bypass (CVE-2026-8327) removes a core authentication control. Site administrators should prioritize the 9.5.1 upgrade and review any custom integrations that interact with the affected file, dialog, and conversation endpoints.