30 matches found
CVE-2026-7888
CVE-2026-7888 affects Concrete CMS versions below 9.5.2. The vulnerability arises from PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that do not enforce allowed_classes. An unauthenticated attacker could trigger arbitrary PHP object instantiatio...
CVE-2026-8327 Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass.
Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update without field whitelisting resulting in password change without requiring the current...
PT-2026-42556
Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1 Description An Insecure Direct Object Reference IDOR exists in the 'AddMessage' and 'UpdateMessage' conversation controllers. These controllers accept user-supplied file attachment IDs through the attachmen...
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability
In Concrete CMS below version 9.4.8, A stored Cross-site Scripting XSS vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page nam...
PT-2026-22867
In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting...
EUVD-2024-0600
Malicious code in bioql PyPI...
EUVD-2022-7449
Malicious code in bioql PyPI...
EUVD-2025-23658
Malicious code in bioql PyPI...
EUVD-2023-2855
Malicious code in bioql PyPI...
EUVD-2024-1175
Malicious code in bioql PyPI...
EUVD-2024-2474
Malicious code in bioql PyPI...
EUVD-2024-2553
Malicious code in bioql PyPI...
CVE-2025-8571
Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting XSS in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and if victim is an admi...
CVE-2025-8573
Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page. Version 8 was not affected. A rogue admin could set up a malicious folder containing XSS to which users could be directed upon login. The Concrete CMS security team gave this vulnerabili...
CVE-2025-8571
Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting XSS in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and if victim is an admi...
CVE-2025-8573 Concrete CMS 9 through 9.4.2 is vulnerable to Stored XSS from Home Folder on Members Dashboard page
Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page. Version 8 was not affected. A rogue admin could set up a malicious folder containing XSS to which users could be directed upon login. The Concrete CMS security team gave this...
PT-2025-31997 · Unknown · Concrete Cms
Name of the Vulnerable Software and Affected Versions: Concrete CMS versions 9.0.0 through 9.4.2 Concrete CMS versions prior to 8.5.21 Description: The software is vulnerable to Reflected Cross-Site Scripting XSS in the Conversation Messages Dashboard Page. Unsanitized input could lead to session...
CVE-2024-8660
Concrete CMS versions 9.0.0 through 9.3.3 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block. Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the ho...
CVE-2023-28471
Concrete CMS previously concrete5 in versions 9.0 through 9.1.3 is vulnerable to Stored XSS via a container name...
CVE-2023-48651
Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery CSRF at /ccm/system/dialogs/file/delete/1/submit...