Lucene search
K

10320 matches found

EUVD
EUVD
added 2026/05/22 12:31 a.m.13 views

EUVD-2026-31373

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/dialog/page/bulk/delete. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonata...

2.3CVSS5.8AI score0.0013EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/22 12:31 a.m.12 views

EUVD-2026-31361

Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and proceeds with file deletion when the token is invalid or missing. This effectively disables CSRF protecti...

2.3CVSS5.8AI score0.00116EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/22 12:31 a.m.5 views

Concrete CMS is vulnerable to unauthorized file deletion

Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and proceeds with file deletion when the token is invalid or missing. This effectively disables CSRF protecti...

4.3CVSS5.8AI score0.00116EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2026/05/21 10:16 p.m.21 views

CVE-2026-7882

Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and proceeds with file deletion when the token is invalid or missing. This effectively disables CSRF protecti...

4.3CVSS0.00116EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/21 9:40 p.m.38 views

CVE-2026-8409 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/dialog/logs/delete. The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan...

2.3CVSS0.00142EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/21 9:32 p.m.37 views

CVE-2026-8411 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/dialog/page/bulk/delete. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonata...

2.3CVSS0.0013EPSS
Exploits0References1
CVE
CVE
added 2026/05/21 9:25 p.m.27 views

CVE-2026-8433

Concrete CMS versions 9 before 9.5.0 are vulnerable to Cross Site Request Forgery (CSRF) in the rescan endpoint: concrete/controllers/backend/file rescan(). Root cause is CSRF in the rescan() function, enabling unauthorized state-changing requests from authenticated sessions. Affected software: C...

8.8CVSS5.8AI score0.0013EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/05/21 9:22 p.m.32 views

CVE-2026-8435 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion()

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/backend/file approveVersion. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N...

2.3CVSS0.00115EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/21 9:17 p.m.37 views

CVE-2026-7882 Concrete CMS 9.5.0 and below is vulnerable to CSRF via the DeleteFile controller

Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and proceeds with file deletion when the token is invalid or missing. This effectively disables CSRF protecti...

2.3CVSS0.00116EPSS
Exploits0References1
NVD
NVD
added 2026/05/21 9:16 p.m.12 views

CVE-2026-8426

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepareremoteupgrade/. An attacker who controls the remote package returned for a known marketplace item ID can overwrite the package PHP on disk and force its upgrade method to...

8.8CVSS0.00171EPSS
Exploits0References1
NVD
NVD
added 2026/05/21 9:16 p.m.15 views

CVE-2026-8140

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/. The download method in concrete/controllers/singlepage/dashboard/extend/install.php checks only the canInstallPackages permission before fetching a remote marketplace...

7.5CVSS0.00118EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/21 8:25 p.m.8 views

CVE-2026-8421

Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the installpackage method of concrete/controllers/singlepage/dashboard/extend/install.php. An attacker who can cause an authenticated administrator to visit a crafted page, and who has placed or caused a package to be present under...

7.5CVSS6.1AI score0.00171EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/05/21 8:25 p.m.10 views

EUVD-2026-31339

Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the installpackage method of concrete/controllers/singlepage/dashboard/extend/install.php. An attacker who can cause an authenticated administrator to visit a crafted page, and who has placed or caused a package to be present under...

7.5CVSS6.1AI score0.00171EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/21 8:24 p.m.10 views

CVE-2026-8428 CSRF token is not validated in the core CMS update controller for Concrete CMS 9.5.0 and below

Concrete CMS 9.5.0 and below emits a CSRF token in the localavailableupdate.php view $token-output'doupdate' but the corresponding doupdate method in concrete/controllers/singlepage/dashboard/system/update/update.php never calls $this-token-validate'doupdate'. The form is rendered as a POST form,...

7.5CVSS5.7AI score0.00132EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/21 8:24 p.m.8 views

CVE-2026-8428

Concrete CMS 9.5.0 and below emits a CSRF token in the localavailableupdate.php view $token-output'doupdate' but the corresponding doupdate method in concrete/controllers/singlepage/dashboard/system/update/update.php never calls $this-token-validate'doupdate'. The form is rendered as a POST form,...

7.5CVSS5.7AI score0.00132EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/05/21 8:24 p.m.25 views

CVE-2026-8428

Concrete CMS

8.8CVSS5.7AI score0.00132EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/05/21 8:22 p.m.9 views

EUVD-2026-31337

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepareremoteupgrade/. An attacker who controls the remote package returned for a known marketplace item ID can overwrite the package PHP on disk and force its upgrade method to...

7.5CVSS6.5AI score0.00171EPSS
Exploits0References1
CVE
CVE
added 2026/05/21 8:22 p.m.23 views

CVE-2026-8426

Concrete CMS 9.5.0 and earlier fails to validate a CSRF token for requests to /dashboard/extend/update/prepare_remote_upgrade/. An attacker who controls the remote package returned for a known marketplace item ID can overwrite the package PHP on disk and trigger the upgrade() method in a single b...

8.8CVSS6.5AI score0.00171EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/21 8:20 p.m.10 views

CVE-2026-8140 Concrete CMS 9.5.0 and below is vulnerable to CSRF on download() in the package install controller

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/. The download method in concrete/controllers/singlepage/dashboard/extend/install.php checks only the canInstallPackages permission before fetching a remote marketplace...

7.5CVSS5.9AI score0.00118EPSS
Exploits0References1
CVE
CVE
added 2026/05/21 8:20 p.m.21 views

CVE-2026-8140

CVE-2026-8140 affects Concrete CMS 9.5.0 and below. The issue is a CSRF vulnerability in the download() function of concrete/controllers/single_page/dashboard/extend/install.php, which does not validate a CSRF token before processing requests to /dashboard/extend/install/download/. The function o...

7.5CVSS5.9AI score0.00118EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder