CVE-2026-8414 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/duplicate

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/dialog/event/duplicate. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan...

CVE-2026-8432

Concrete CMS versions prior to 9.5.0 are affected by a Cross-Site Request Forgery (CSRF) at the endpoint concrete/controllers/backend/file star(), due to a flaw in the star() function. Affected range includes 9.0.0 through 9.4.x. The issue is exploited by convincing an authenticated user to perfo...

CVE-2026-8434

Concrete CMS 9.x prior to 9.5.0 is vulnerable to CSRF at the concrete/controllers/backend/file rescanMultiple() endpoint. Root cause: CSRF in the rescanMultiple() handler, reported with CVSS v4.0 vector AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N and a base score of 2.3 (LOW). Impact i...