CVE-2026-6826

🗓️ 21 May 2026 20:55:21Reported by ConcreteCMSType

cve🔗 web.nvd.nist.gov👁 8 Views🌐 WEB

Unauthenticated file usage disclosure in Concrete CMS 9.5.0 and earlier due to missing usage controller permission check.

Reporter	Title	Published	Views	Family All 8
ATTACKERKB	CVE-2026-6826	21 May 202620:55	–	attackerkb
CNNVD	Concrete CMS 信息泄露漏洞	21 May 202600:00	–	cnnvd
Cvelist	CVE-2026-6826 Concrete 9.5.0 and below has file usage disclosure via missing permission check in Usage controller	21 May 202620:55	–	cvelist
EUVD	EUVD-2026-31344	21 May 202620:55	–	euvd
NVD	CVE-2026-6826	21 May 202621:16	–	nvd
Positive Technologies	PT-2026-42540	21 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-6826	5 Jun 202619:31	–	redhatcve
Vulnrichment	CVE-2026-6826 Concrete 9.5.0 and below has file usage disclosure via missing permission check in Usage controller	21 May 202620:55	–	vulnrichment

NVD

Node

concretecms concrete_cmsRange<9.5.1

[
  {
    "vendor": "Concrete CMS",
    "product": "Concrete CMS",
    "collectionURL": "https://github.com/concretecms/concretecms",
    "repo": "https://github.com/concretecms/concretecms",
    "versions": [
      {
        "status": "affected",
        "version": "5.0",
        "lessThanOrEqual": "9.5.0",
        "versionType": "git"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
documentation	www.documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes

Parameter	Position	Path	Description	CWE
fID	path	/ccm/system/dialogs/file/usage/{fID}	Unauthenticated file usage disclosure due to missing permission check in usage controller; allows any visitor to retrieve pages referencing a file.	CWE-200

26 May 2026 14:59Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.15.3

CVSS 46.9

EPSS0.00025

SSVC

CWE-200