Lucene search
K

8 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:10 p.m.7 views

CVE-2026-8421

Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the installpackage method of concrete/controllers/singlepage/dashboard/extend/install.php. An attacker who can cause an authenticated administrator to visit a crafted page, and who has placed or caused a package to be present under...

8.8CVSS5.9AI score0.00171EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/21 9:30 p.m.2 views

Cross-site Request Forgery (CSRF)

Overview concrete5/concrete5 is a concrete5 open source CMS. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the /dashboard/extend/update/prepareremoteupgrade/ process. An attacker can execute arbitrary code as the web server user by tricking an authenticat...

8.8CVSS6AI score0.00171EPSS
Exploits0References2
CVE
CVE
added 2026/05/21 8:25 p.m.23 views

CVE-2026-8421

Concrete CMS 9.5.0 and earlier versions include a CSRF vulnerability in the install_package() handler (concrete/controllers/single_page/dashboard/extend/install.php). An attacker who can induce an authenticated administrator to visit a crafted page and has placed or caused a package under DIR_PAC...

8.8CVSS6.1AI score0.00171EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/05/21 8:25 p.m.35 views

CVE-2026-8421 Concrete CMS 9.5.0 and below is vulnerable to CSRF on install_package() with conditional token bypass leading to RCE

Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the installpackage method of concrete/controllers/singlepage/dashboard/extend/install.php. An attacker who can cause an authenticated administrator to visit a crafted page, and who has placed or caused a package to be present under...

7.5CVSS0.00171EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/21 8:25 p.m.8 views

CVE-2026-8421

Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the installpackage method of concrete/controllers/singlepage/dashboard/extend/install.php. An attacker who can cause an authenticated administrator to visit a crafted page, and who has placed or caused a package to be present under...

7.5CVSS6.1AI score0.00171EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/05/21 8:22 p.m.8 views

EUVD-2026-31337

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepareremoteupgrade/. An attacker who controls the remote package returned for a known marketplace item ID can overwrite the package PHP on disk and force its upgrade method to...

7.5CVSS6.5AI score0.00171EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/21 8:20 p.m.8 views

CVE-2026-8140

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/. The download method in concrete/controllers/singlepage/dashboard/extend/install.php checks only the canInstallPackages permission before fetching a remote marketplace...

7.5CVSS5.9AI score0.00118EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.13 views

PT-2026-42548

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepare remote upgrade/. An attacker who controls the remote package returned for a known marketplace item ID can overwrite the package PHP on disk and force its upgrade method to...

7.5CVSS6.5AI score0.00171EPSS
Exploits0References2
Rows per page
Query Builder