CVE-2026-7881
published 2026-05-21CVE-2026-7881: Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR…
PriorityP422medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.20%
10.5th percentile
Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express form submissions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| concrete5 | concrete5 | >= 0 < 9.5.1 | 9.5.1 |
| concrete_cms | concrete_cms | >= 5.0 < 9.5.0 | 9.5.0 |
| concretecms | concrete_cms | < 9.5.1 | 9.5.1 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv4.06.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-chfm-cm6h-q5x7: Concrete CMS 9
ghsa_unreviewed·2026-05-22
CVE-2026-7881 [MEDIUM] CWE-639 GHSA-chfm-cm6h-q5x7: Concrete CMS 9
Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express form submissions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting.
GHSA
Concrete CMS is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block
ghsa·2026-05-22
CVE-2026-7881 [MEDIUM] CWE-639 Concrete CMS is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block
Concrete CMS is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block
Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express form submissions. The Concrete CMS security team thanks Tristan Madani for reporting this issue.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-21
Published