CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Vulnrichment•added 2026/05/22 2:18 p.m.•7 views

CVE-2026-8353 Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in atomik theme

2.1CVSS5.9AI score0.00196EPSS

CVE•added 2026/05/22 2:18 p.m.•17 views

CVE-2026-8353

Concrete CMS versions 9.0–9.5.0 are vulnerable to a Stored XSS in the Atomik theme triggered by a crafted page name. An attacker with editor privileges can inject JavaScript that runs in the context of any authenticated user visiting affected account pages, enabling session hijacking, credential ...

4.8CVSS5.9AI score0.00196EPSS

Exploits0References1Affected Software1

Cvelist•added 2026/05/22 2:6 p.m.•11 views

CVE-2026-8347 Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in Express association Reorder dialog

Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity...

2.3CVSS0.0023EPSS

ATTACKERKB•added 2026/05/22 2:6 p.m.•3 views

CVE-2026-8347

4.3CVSS5.8AI score0.0023EPSS

Exploits0References2Affected Software1

EUVD•added 2026/05/22 2:6 p.m.•8 views

EUVD-2026-31442

4.3CVSS5.8AI score0.0023EPSS

Vulnrichment•added 2026/05/22 2:6 p.m.•6 views

CVE-2026-8347 Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in Express association Reorder dialog

2.3CVSS5.8AI score0.0023EPSS

CVE•added 2026/05/22 2:6 p.m.•17 views

CVE-2026-8347

The CVE-2026-8347 entry affects Concrete CMS 9.5.0 and earlier, where the Express association Reorder dialog is vulnerable to IDOR and wrong-authorization-level handling, enabling cross-entity state tampering under view-only permissions. The issue is triggered by reliance on Express entity orderi...

4.3CVSS5.8AI score0.0023EPSS

Exploits0References1Affected Software1

Cvelist•added 2026/05/22 1:58 p.m.•12 views

CVE-2026-8340 Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion

Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with editfilecontents permission is CSRF'd into publishing an attacker-chosen previously-uploaded version downgrade to an older version of a file, or activation of a co-editor's unpublished version. The...

2.3CVSS0.00128EPSS

Vulnrichment•added 2026/05/22 1:58 p.m.•7 views

CVE-2026-8340 Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion

2.3CVSS5.8AI score0.00128EPSS

CVE•added 2026/05/22 1:58 p.m.•18 views

CVE-2026-8340

Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion, enabling a user with edit_file_contents to publish an attacker‑chosen version (downgrade or publish an unpublished co-editor version). The entry provides CVSS v4.0 base score 2.3 (low) with network attack vector ...

4.3CVSS5.8AI score0.00128EPSS

Exploits0References1Affected Software1

EUVD•added 2026/05/22 1:58 p.m.•9 views

EUVD-2026-31441

2.3CVSS5.8AI score0.00128EPSS

EUVD•added 2026/05/22 12:31 a.m.•7 views

EUVD-2026-31376

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/dialog/logs/bulk/delete. The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N...

2.3CVSS5.8AI score0.00142EPSS

EUVD•added 2026/05/22 12:31 a.m.•11 views

EUVD-2026-31371

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/dialog/express/association/reorder. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N...

EUVD•added 2026/05/22 12:31 a.m.•8 views

EUVD-2026-31368

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/backend/file removeFavoriteFolder$id. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N...

EUVD•added 2026/05/22 12:31 a.m.•6 views

EUVD-2026-31372

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/backend/file addFavoriteFolder$id. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N...

EUVD•added 2026/05/22 12:31 a.m.•8 views

EUVD-2026-31357

Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Pagination builds pagination links by raw-interpolating its $URL field into href="" . Any authenticated admin or report viewer with access to...

6CVSS5.8AI score0.00139EPSS

EUVD•added 2026/05/22 12:31 a.m.•9 views

EUVD-2026-31378

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/dialog/logs/delete. The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan...

2.3CVSS5.8AI score0.00142EPSS

EUVD•added 2026/05/22 12:31 a.m.•9 views

EUVD-2026-31365

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/backend/file rescan. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan...

EUVD•added 2026/05/22 12:31 a.m.•8 views

EUVD-2026-31375

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/dialog/page/bulk/design. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonata...