CVE-2026-8205
published 2026-05-21CVE-2026-8205: Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which…
PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.21%
11.4th percentile
Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being disclosed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks lalalala5678 for reporting.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| concrete5 | concrete5 | >= 0 < 9.5.1 | 9.5.1 |
| concrete_cms | concrete_cms | 5.0 – 9.5.0 | — |
| concretecms | concrete_cms | <= 9.5.0 | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.06.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-46xh-7854-f568: Concrete CMS 9
ghsa_unreviewed·2026-05-21
CVE-2026-8205 [MEDIUM] CWE-425 GHSA-46xh-7854-f568: Concrete CMS 9
Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being disclosed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks lalalala5678 for reporting.
GHSA
Concrete CMS is vulnerable to authorization bypass in the Calendar Block
ghsa·2026-05-21
CVE-2026-8205 [MEDIUM] CWE-425 Concrete CMS is vulnerable to authorization bypass in the Calendar Block
Concrete CMS is vulnerable to authorization bypass in the Calendar Block
Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being disclosed.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-21
Published