CVE-2026-8238

🗓️ 21 May 2026 21:04:50Reported by ConcreteCMSType

cve🔗 web.nvd.nist.gov👁 6 Views🌐 WEB

Concrete CMS 9.5.0 and below has IDOR at /ccm/frontend/conversations/message_page exposing messages and attachments.

Reporter	Title	Published	Views	Family All 7
ATTACKERKB	CVE-2026-8238	21 May 202621:04	–	attackerkb
CNNVD	Concrete CMS 安全漏洞	21 May 202600:00	–	cnnvd
Cvelist	CVE-2026-8238 Concrete CMS 9.5.0 and below is vulnerable to IDOR in '/ccm/frontend/conversations/message_page' allowing unauthenticated read of any conversation message	21 May 202621:04	–	cvelist
EUVD	EUVD-2026-31354	22 May 202600:31	–	euvd
NVD	CVE-2026-8238	21 May 202622:16	–	nvd
Positive Technologies	PT-2026-42560	21 May 202600:00	–	ptsecurity
Vulnrichment	CVE-2026-8238 Concrete CMS 9.5.0 and below is vulnerable to IDOR in '/ccm/frontend/conversations/message_page' allowing unauthenticated read of any conversation message	21 May 202621:04	–	vulnrichment

NVD

Node

concretecms concrete_cmsRange<9.5.1

[
  {
    "vendor": "Concrete CMS",
    "product": "Concrete CMS",
    "collectionURL": "https://github.com/concretecms/concretecms",
    "repo": "https://github.com/concretecms/concretecms",
    "versions": [
      {
        "status": "affected",
        "version": "5.0",
        "lessThanOrEqual": "9.5.0",
        "versionType": "git"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
documentation	www.documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes

Parameter	Position	Path	Description	CWE
message_id	path	ccm/frontend/conversations/message_page	Concrete CMS <= 9.5.0 has IDOR via /ccm/frontend/conversations/message_page leaking full conversation messages (including restricted and moderated content) and attachments.	CWE-862

26 May 2026 17:29Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.15.3

CVSS 46.3

EPSS0.00046

SSVC

CWE-862