CVE-2026-8238

Concrete CMS versions 9.5.0 and earlier are vulnerable to an IDOR at the endpoint /ccm/frontend/conversations/message_page, which exposes full content of any conversation message and file attachments via unauthenticated access. An attacker can enumerate messages from restricted pages, member-only...

PT-2026-24619

Summary The /studiocms api/dashboard/api-tokens endpoint allows any authenticated user at least Editor to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to validate whether the requesting user is authorized to create tokens on behalf of the target...

CVE-2025-56316

A SQL injection vulnerability in the contenttitle parameter of the /cms/content/list endpoint in MCMS 5.5.0 allows remote attackers to execute arbitrary SQL queries via unsanitized input in the FreeMarker template rendering...

EUVD-2022-40878

Malicious code in bioql PyPI...

PT-2024-22524 · Dedecms · Dedecms

Name of the Vulnerable Software and Affected Versions: DedeCMS version 5.7 Description: A Cross-Site Request Forgery CSRF issue was found in DedeCMS. The vulnerability can be exploited via the /dede/sys cache up.php API endpoint. Recommendations: For DedeCMS version 5.7, as a temporary workaround...