VYPR

Vendor CVEs

Concrete5

All CVEs

89 total · sorted by risk
  • CVE-2015-4724HigSep 7, 2017
    risk 0.57cvss 8.8epss 0.01

    SQL injection vulnerability in Concrete5 5.7.3.1.

  • CVE-2026-10721HigJun 10, 2026
    risk 0.55cvss epss 0.00

    Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the  in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the…

  • CVE-2026-7888HigJun 3, 2026
    risk 0.55cvss epss 0.00

    Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious…

  • CVE-2026-8434HigMay 21, 2026
    risk 0.50cvss 8.8epss 0.00

    Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:…

  • CVE-2026-8433HigMay 21, 2026
    risk 0.50cvss 8.8epss 0.00

    Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/S…

  • CVE-2026-8432HigMay 21, 2026
    risk 0.50cvss 8.8epss 0.00

    Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:…

  • CVE-2026-8427HigMay 21, 2026
    risk 0.50cvss 8.8epss 0.00

    Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L…

  • CVE-2026-8416HigMay 21, 2026
    risk 0.50cvss 8.8epss 0.00

    Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA…

  • CVE-2026-8415HigMay 21, 2026
    risk 0.50cvss 8.8epss 0.00

    Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:…

  • CVE-2026-8414HigMay 21, 2026
    risk 0.50cvss 8.8epss 0.00

    Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/duplicate. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/…

  • CVE-2026-8413HigMay 21, 2026
    risk 0.50cvss 8.8epss 0.00

    Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N…

  • CVE-2026-8412HigMay 21, 2026
    risk 0.50cvss 8.8epss 0.00

    Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N…

  • CVE-2026-8411HigMay 21, 2026
    risk 0.50cvss 8.8epss 0.00

    Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N…

  • CVE-2026-8410HigMay 21, 2026
    risk 0.50cvss 8.8epss 0.00

    Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete.  The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:…

  • CVE-2026-8409HigMay 21, 2026
    risk 0.50cvss 8.8epss 0.00

    Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete.  The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:…

  • CVE-2026-8428HigMay 21, 2026
    risk 0.50cvss 8.8epss 0.00

    Concrete CMS 9.5.0 and below emits a CSRF token in the local_available_update.php view ($token->output('do_update')) but the corresponding do_update() method in concrete/controllers/single_page/dashboard/system/update/update.php never calls $this->token->validate('do_update').…

  • CVE-2026-8426HigMay 21, 2026
    risk 0.50cvss 8.8epss 0.00

    Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepare_remote_upgrade/. An attacker who controls the remote package returned for a known marketplace item ID can overwrite the package PHP on disk and…

  • CVE-2026-8421HigMay 21, 2026
    risk 0.50cvss 8.8epss 0.00

    Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php.  An attacker who can cause an authenticated administrator to visit a crafted page,  and who has placed or caused a…

  • CVE-2026-8417HigMay 21, 2026
    risk 0.50cvss 8.8epss 0.00

    Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/. The do_update() method in concrete/controllers/single_page/dashboard/extend/update.php checks only canInstallPackages() before executing…

  • CVE-2026-8350HigMay 21, 2026
    risk 0.50cvss 8.8epss 0.00

    Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group…

  • CVE-2018-13790HigJul 9, 2018
    risk 0.47cvss 7.2epss 0.01

    A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to attacks on the local network and mapping of the internal network, because of URL functionality on the File Manager page.

  • CVE-2017-7725MedApr 13, 2017
    risk 0.43cvss 6.1epss 0.03

    concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "canonical" URL on installation of concrete5 using the "Advanced Options" settings. Remote attackers can make a GET request with any domain name in the Host…

  • CVE-2017-8082MedApr 24, 2017
    risk 0.42cvss 6.5epss 0.01

    concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire installation by merely tricking an admin into viewing a malicious page involving the /tools/required/files/importers/imageeditor?fID=1&imgData= URI. This results…

  • CVE-2026-8135HigMay 21, 2026
    risk 0.40cvss 7.2epss 0.00

    Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with privileges to add blocks to an area can bypass the intended protection mechanism (_fromCIF ===…

  • CVE-2026-8134HigMay 21, 2026
    risk 0.40cvss 7.2epss 0.01

    Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing rights can exploit this to include…

  • CVE-2015-4721MedSep 7, 2017
    risk 0.40cvss 6.1epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Concrete5 5.7.3.1.

  • CVE-2017-6908MedMar 15, 2017
    risk 0.40cvss 6.1epss 0.01

    An issue was discovered in concrete5 <= 5.6.3.4. The vulnerability exists due to insufficient filtration of user-supplied data (fID) passed to the "concrete5-legacy-master/web/concrete/tools/files/selector_data.php" URL. An attacker could execute arbitrary HTML and script code…

  • CVE-2017-6905MedMar 15, 2017
    risk 0.40cvss 6.1epss 0.01

    An issue was discovered in concrete5 <= 5.6.3.4. The vulnerability exists due to insufficient filtration of user-supplied data (disable_choose) passed to the "concrete5-legacy-master/web/concrete/tools/files/search_dialog.php" URL. An attacker could execute arbitrary HTML and…

  • CVE-2026-8435MedMay 21, 2026
    risk 0.35cvss 6.5epss 0.00

    Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC…

  • CVE-2026-7890MedMay 21, 2026
    risk 0.35cvss 6.4epss 0.00

    In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses.  The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with a…

  • CVE-2026-7887MedMay 21, 2026
    risk 0.35cvss 6.4epss 0.00

    For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this…

  • CVE-2026-8140MedMay 21, 2026
    risk 0.35cvss 6.5epss 0.00

    Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/. The download() method in concrete/controllers/single_page/dashboard/extend/install.php checks only the canInstallPackages() permission before…

  • CVE-2026-8353MedMay 22, 2026
    risk 0.31cvss 4.8epss 0.00

    Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking,…

  • CVE-2026-8245MedMay 21, 2026
    risk 0.28cvss 5.4epss 0.00

    Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Pagination builds pagination links by raw-interpolating its $URL field into href="" (). Any authenticated admin or…

  • CVE-2026-8139MedMay 21, 2026
    risk 0.28cvss 5.4epss 0.00

    Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/V…

  • CVE-2026-8203MedMay 21, 2026
    risk 0.28cvss 5.4epss 0.00

    Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that executes in the context of any visitor's browser, potentially leading to session…

  • CVE-2026-8337MedMay 21, 2026
    risk 0.27cvss 5.3epss 0.00

    Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unauthenticated attacker can vote in the restricted survey by submitting the…

  • CVE-2026-8240MedMay 21, 2026
    risk 0.27cvss 5.3epss 0.00

    Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure across every page with a configured summary template, revealing the existence of private, draft, and restricted pages while leaking title, path, description, and author information. The…

  • CVE-2026-8239MedMay 21, 2026
    risk 0.27cvss 5.3epss 0.00

    Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/get_rating' endpoint confirms existence and returns rating score for any message by ID. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with…

  • CVE-2026-8238MedMay 21, 2026
    risk 0.27cvss 5.3epss 0.00

    Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/message_page' endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages,…

  • CVE-2026-8237MedMay 21, 2026
    risk 0.27cvss 5.3epss 0.00

    Concrete CMS 9.5.0 and below is vulnerable to IDOR. The `/ccm/frontend/conversations/message_detail` endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages,…

  • CVE-2026-7879MedMay 21, 2026
    risk 0.27cvss 5.3epss 0.00

    In Concrete CMS 9.5.0 and below,  the submit_password() method in concrete/controllers/single_page/download_file.php allows unauthorized file access since downloading permission-restricted files bypasses the view_file permission check. Files without passwords can be downloaded…

  • CVE-2026-8205MedMay 21, 2026
    risk 0.27cvss 5.3epss 0.00

    Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being disclosed. The Concrete CMS security team gave this vulnerability a CVSS…

  • CVE-2026-8204MedMay 21, 2026
    risk 0.27cvss 5.3epss 0.00

    Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data. The Concrete CMS security team gave this…

  • CVE-2026-6826MedMay 21, 2026
    risk 0.27cvss 5.3epss 0.00

    Concrete CMS 9.5.0 and below  is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller.  Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/{fID} with any file ID and receive a list of every page that…

  • CVE-2026-8197MedMay 21, 2026
    risk 0.24cvss 4.8epss 0.00

    Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name. The OAuth authorize template renders the integration name (admin-controlled) through Concrete's t() translation helper as a sprintf-style format. The ... wrap is built by PHP…

  • CVE-2026-8347MedMay 22, 2026
    risk 0.21cvss 4.3epss 0.00

    Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog.  This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on…

  • CVE-2026-8340MedMay 22, 2026
    risk 0.21cvss 4.3epss 0.00

    Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with edit_file_contents permission is CSRF'd into publishing an attacker-chosen previously-uploaded version (downgrade to an older version of a file, or activation of a co-editor's…

  • CVE-2026-8327MedMay 21, 2026
    risk 0.21cvss 4.3epss 0.00

    Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update() without field whitelisting resulting in password change without…

  • CVE-2026-8236MedMay 21, 2026
    risk 0.21cvss 4.3epss 0.00

    Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/{fID} accepts an integer file ID in the URL and returns internal site structure data (page IDs, versions, URL paths) to anyone who sends…

Page 1 of 2