Concretecms Concrete Cms vulnerabilities
153 known vulnerabilities affecting concretecms/concrete_cms.
Total CVEs
153
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH37MEDIUM109LOW1
Vulnerabilities
Page 8 of 8
CVE-2026-8340P4MEDIUMCVSS 4.3fixed in 9.5.12026-05-22
CVE-2026-8340 [MEDIUM] CWE-352 CVE-2026-8340: Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with edi
Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with edit_file_contents permission is CSRF'd into publishing an attacker-chosen previously-uploaded version (downgrade to an older version of a file, or activation of a co-editor's unpublished version). The Concrete CMS security team gave this vulnerability a C
nvd
CVE-2023-44760P4MEDIUMCVSS 4.8v9.2.12023-10-23
CVE-2023-44760 [MEDIUM] CWE-79 CVE-2023-44760: Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to exe
Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics. NOTE: the vendor disputes this because these header/footer changes can only be made by an admin, and allowing an admin to place JavaScript there i
nvd
CVE-2022-43695P4MEDIUMCVSS 4.8fixed in 8.5.10≥ 9.0.0, ≤ 9.1.22022-11-14
CVE-2022-43695 [MEDIUM] CWE-79 CVE-2022-43695: Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored C
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to
nvd
CVE-2025-8571P4MEDIUMCVSS 4.8fixed in 8.5.21≥ 9.0, < 9.4.32025-08-05
CVE-2025-8571 [MEDIUM] CWE-20 CVE-2025-8571: Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (
Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions. The Concret
nvd
CVE-2014-5108P4MEDIUMCVSS 4.3v5.4.2v5.4.2.1+6 more2014-07-28
CVE-2014-5108 [MEDIUM] CWE-79 CVE-2014-5108: Cross-site scripting (XSS) vulnerability in single_pages\download_file.php in concrete5 before 5.6.3
Cross-site scripting (XSS) vulnerability in single_pages\download_file.php in concrete5 before 5.6.3 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to index.php/download_file.
nvd
CVE-2018-19146P4MEDIUMCVSS 4.8v8.4.32019-06-17
CVE-2018-19146 [MEDIUM] CWE-79 CVE-2018-19146: Concrete5 8.4.3 has XSS because config/concrete.php allows uploads (by administrators) of SVG files
Concrete5 8.4.3 has XSS because config/concrete.php allows uploads (by administrators) of SVG files that may contain HTML data with a SCRIPT element.
nvd
CVE-2014-9526P4MEDIUMCVSS 4.3v5.7.22015-01-05
CVE-2014-9526 [MEDIUM] CWE-79 CVE-2014-9526: Multiple cross-site scripting (XSS) vulnerabilities in concrete5 5.7.2.1, 5.7.2, and earlier allow r
Multiple cross-site scripting (XSS) vulnerabilities in concrete5 5.7.2.1, 5.7.2, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) gName parameter in single_pages/dashboard/users/groups/bulkupdate.php or (2) instance_id parameter in tools/dashboard/sitemap_drag_request.php.
nvd
CVE-2023-44766P4MEDIUMCVSS 4.8v9.2.12023-10-06
CVE-2023-44766 [MEDIUM] CWE-79 CVE-2023-44766: A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arb
A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to the SEO - Extra from Page Settings. NOTE: the vendor disputes this because this SEO-related header change can only be made by an admin, and allowing an admin to place JavaScript there is an intentional customization
nvd
CVE-2022-43688P4MEDIUMCVSS 4.8fixed in 8.5.10≥ 9.0.0, ≤ 9.1.22022-11-14
CVE-2022-43688 [MEDIUM] CWE-79 CVE-2022-43688: Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored C
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in icons since the Microsoft application tile color is not sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
nvd
CVE-2023-48653P4MEDIUMCVSS 4.3fixed in 8.5.14≥ 9.0.0, < 9.2.32024-02-29
CVE-2023-48653 [MEDIUM] CWE-352 CVE-2023-48653: Concrete CMS before 8.5.14 and 9 before 9.2.3 allows Cross Site Request Forgery (CSRF) via ccm/calen
Concrete CMS before 8.5.14 and 9 before 9.2.3 allows Cross Site Request Forgery (CSRF) via ccm/calendar/dialogs/event/delete/submit. An attacker can force an admin to delete events on the site because the event ID is numeric and sequential.
nvd
CVE-2023-48651P4MEDIUMCVSS 4.3≥ 9.0.0, < 9.2.32024-02-29
CVE-2023-48651 [MEDIUM] CWE-352 CVE-2023-48651: Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) at /ccm/system/dialog
Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) at /ccm/system/dialogs/file/delete/1/submit.
nvd
CVE-2023-48652P4MEDIUMCVSS 4.3≥ 9.0, < 9.2.32023-12-25
CVE-2023-48652 [MEDIUM] CWE-352 CVE-2023-48652: Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) via /ccm/system/dialo
Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) via /ccm/system/dialogs/logs/delete_all/submit. An attacker can force an admin user to delete server report logs on a web application to which they are currently authenticated.
nvd
CVE-2023-28473P4LOWCVSS 3.3fixed in 9.2.02023-04-28
CVE-2023-28473 [LOW] CWE-287 CVE-2023-28473: Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable t
Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to possible Auth bypass in the jobs section.
nvd
← Previous8 / 8