Concretecms Concrete Cms vulnerabilities
153 known vulnerabilities affecting concretecms/concrete_cms.
Total CVEs
153
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH37MEDIUM109LOW1
Vulnerabilities
Page 4 of 8
CVE-2026-8204P4MEDIUMCVSS 5.3fixed in 9.5.12026-05-21
CVE-2026-8204 [MEDIUM] CWE-639 CVE-2026-8204: Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Di
Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT
nvd
CVE-2026-8238P4MEDIUMCVSS 5.3fixed in 9.5.12026-05-21
CVE-2026-8238 [MEDIUM] CWE-862 CVE-2026-8238: Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/message_page' e
Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/message_page' endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs
nvd
CVE-2026-8237P4MEDIUMCVSS 5.3fixed in 9.5.12026-05-21
CVE-2026-8237 [MEDIUM] CWE-862 CVE-2026-8237: Concrete CMS 9.5.0 and below is vulnerable to IDOR. The `/ccm/frontend/conversations/message_detail`
Concrete CMS 9.5.0 and below is vulnerable to IDOR. The `/ccm/frontend/conversations/message_detail` endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download UR
nvd
CVE-2022-43686P4MEDIUMCVSS 6.5fixed in 8.5.10≥ 9.0.0, ≤ 9.1.22022-11-14
CVE-2022-43686 [MEDIUM] CWE-770 CVE-2022-43686: In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteC
In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load).
nvd
CVE-2026-8203P4MEDIUMCVSS 5.4≤ 9.5.02026-05-21
CVE-2026-8203 [MEDIUM] CWE-79 CVE-2026-8203: Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validat
Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that executes in the context of any visitor's browser, potentially leading to session hijacking, credential theft, or other malicious actions. The Concrete CMS securit
nvd
CVE-2026-8205P4MEDIUMCVSS 5.3≤ 9.5.02026-05-21
CVE-2026-8205 [MEDIUM] CWE-425 CVE-2026-8205: Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since actio
Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being disclosed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/
nvd
CVE-2026-8240P4MEDIUMCVSS 5.3fixed in 9.5.12026-05-21
CVE-2026-8240 [MEDIUM] CWE-284 CVE-2026-8240: Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure across every
Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure across every page with a configured summary template, revealing the existence of private, draft, and restricted pages while leaking title, path, description, and author information. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with
nvd
CVE-2014-5107P4MEDIUMCVSS 5.0v5.4.2v5.4.2.1+6 more2014-07-28
CVE-2014-5107 [MEDIUM] CWE-200 CVE-2014-5107: concrete5 before 5.6.3 allows remote attackers to obtain the installation path via a direct request
concrete5 before 5.6.3 allows remote attackers to obtain the installation path via a direct request to (1) system/basics/editor.php, (2) system/view.php, (3) system/environment/file_storage_locations.php, (4) system/mail/importers.php, (5) system/mail/method.php, (6) system/permissions/file_types.php, (7) system/permissions/files.php, (8) system/permis
nvd
CVE-2023-44763P4MEDIUMCVSS 5.4v9.2.12023-10-10
CVE-2023-44763 [MEDIUM] CWE-434 CVE-2023-44763: Concrete CMS v9.2.1 is affected by an Arbitrary File Upload vulnerability via a Thumbnail file uploa
Concrete CMS v9.2.1 is affected by an Arbitrary File Upload vulnerability via a Thumbnail file upload, which allows Cross-Site Scripting (XSS). NOTE: the vendor's position is that a customer is supposed to know that "pdf" should be excluded from the allowed file types, even though pdf is one of the allowed file types in the default configuration.
nvd
CVE-2024-7398P4MEDIUMCVSS 5.4fixed in 8.5.19≥ 9.0.0, < 9.3.32024-09-25
CVE-2024-7398 [MEDIUM] CWE-79 CVE-2024-7398: Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the
Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts. Th
nvd
CVE-2026-8239P4MEDIUMCVSS 5.3fixed in 9.5.12026-05-21
CVE-2026-8239 [MEDIUM] CWE-862 CVE-2026-8239: Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/get_rating' end
Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/get_rating' endpoint confirms existence and returns rating score for any message by ID. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani
nvd
CVE-2017-8082P4MEDIUMCVSS 6.5v8.1.02017-04-24
CVE-2017-8082 [MEDIUM] CWE-352 CVE-2017-8082: concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to d
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire installation by merely tricking an admin into viewing a malicious page involving the /tools/required/files/importers/imageeditor?fID=1&imgData= URI. This results in a site-wide denial of service making the site not accessible to any us
nvd
CVE-2023-28819P4MEDIUMCVSS 5.4fixed in 9.1.02023-04-28
CVE-2023-28819 [MEDIUM] CWE-79 CVE-2023-28819: Concrete CMS (previously concrete5) versions 8.5.12 and below, 9.0.0 through 9.0.2 is vulnerable to
Concrete CMS (previously concrete5) versions 8.5.12 and below, 9.0.0 through 9.0.2 is vulnerable to Stored XSS in uploaded file and folder names.
nvd
CVE-2023-48649P4MEDIUMCVSS 5.4fixed in 8.5.13≥ 9.0, < 9.2.22023-11-17
CVE-2023-48649 [MEDIUM] CWE-79 CVE-2023-48649: Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name.
nvd
CVE-2023-28477P4MEDIUMCVSS 5.4fixed in 9.2.02023-04-28
CVE-2023-28477 [MEDIUM] CWE-79 CVE-2023-28477: Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable t
Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to stored XSS on API Integrations via the name parameter.
nvd
CVE-2021-22969P4MEDIUMCVSS 5.3fixed in 8.5.72021-11-19
CVE-2021-22969 [MEDIUM] CWE-918 CVE-2021-22969: Concrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind
Concrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys.To fix this Concrete CMS no longer allows downloads from the local network and specifies the validated IP when downloading rather than relying on DNS.Discoverer: Adrian Tiron
nvd
CVE-2023-28476P4MEDIUMCVSS 5.4fixed in 9.2.02023-04-28
CVE-2023-28476 [MEDIUM] CWE-79 CVE-2023-28476: Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Tag
Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Tags on uploaded files.
nvd
CVE-2022-43689P4MEDIUMCVSS 5.3fixed in 8.5.10≥ 9.0.0, ≤ 9.1.22022-11-14
CVE-2022-43689 [MEDIUM] CWE-611 CVE-2022-43689: Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE base
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure.
nvd
CVE-2023-28472P4MEDIUMCVSS 5.3fixed in 9.2.02023-04-28
CVE-2023-28472 [MEDIUM] CVE-2023-28472: Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 does not have S
Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 does not have Secure and HTTP only attributes set for ccmPoll cookies.
nvd
CVE-2026-8139P4MEDIUMCVSS 5.4≤ 9.5.02026-05-21
CVE-2026-8139 [MEDIUM] CWE-79 CVE-2026-8139: Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updat
Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
nvd