Lucene search
K

30 matches found

CVE
CVE
added 2026/06/03 6:10 p.m.23 views

CVE-2026-7888

CVE-2026-7888 affects Concrete CMS versions below 9.5.2. The vulnerability arises from PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that do not enforce allowed_classes. An unauthenticated attacker could trigger arbitrary PHP object instantiatio...

8.4CVSS5.9AI score0.00175EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/21 9:15 p.m.10 views

CVE-2026-8327 Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass.

Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update without field whitelisting resulting in password change without requiring the current...

5.3CVSS5.8AI score0.00182EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.18 views

PT-2026-42556

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1 Description An Insecure Direct Object Reference IDOR exists in the 'AddMessage' and 'UpdateMessage' conversation controllers. These controllers accept user-supplied file attachment IDs through the attachmen...

2.3CVSS5.8AI score0.00288EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/03/04 3:31 a.m.8 views

Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability

In Concrete CMS below version 9.4.8, A stored Cross-site Scripting XSS vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page nam...

4.8CVSS5.9AI score0.00195EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/04 12:0 a.m.9 views

PT-2026-22867

In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting...

4.8CVSS5.9AI score0.00199EPSS
Exploits1References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2024-0600

Malicious code in bioql PyPI...

4.8CVSS5AI score0.00453EPSS
Exploits0References5
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2022-7449

Malicious code in bioql PyPI...

8.8CVSS8.6AI score0.0044EPSS
Exploits0References7
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2025-23658

Malicious code in bioql PyPI...

4.8CVSS6.3AI score0.00317EPSS
Exploits0References6
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2023-2855

Malicious code in bioql PyPI...

5.4CVSS5.5AI score0.00587EPSS
Exploits0References7
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2024-1175

Malicious code in bioql PyPI...

4.8CVSS5.3AI score0.00359EPSS
Exploits0References6
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2024-2474

Malicious code in bioql PyPI...

4.8CVSS6.4AI score0.00285EPSS
Exploits0References5
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2024-2553

Malicious code in bioql PyPI...

4.8CVSS6.4AI score0.00375EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2025/08/07 11:32 p.m.6 views

CVE-2025-8571

Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting XSS in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and if victim is an admi...

4.8CVSS5.8AI score0.00317EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/08/07 11:31 p.m.10 views

CVE-2025-8573

Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page. Version 8 was not affected. A rogue admin could set up a malicious folder containing XSS to which users could be directed upon login. The Concrete CMS security team gave this vulnerabili...

4.8CVSS5.5AI score0.0044EPSS
Exploits1References1
NVD
NVD
added 2025/08/05 11:15 p.m.9 views

CVE-2025-8571

Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting XSS in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and if victim is an admi...

4.8CVSS0.00317EPSS
Exploits0References3
Cvelist
Cvelist
added 2025/08/05 10:36 p.m.11 views

CVE-2025-8573 Concrete CMS 9 through 9.4.2 is vulnerable to Stored XSS from Home Folder on Members Dashboard page

Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page. Version 8 was not affected. A rogue admin could set up a malicious folder containing XSS to which users could be directed upon login. The Concrete CMS security team gave this...

2CVSS0.0044EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2025/08/05 12:0 a.m.7 views

PT-2025-31997 · Unknown · Concrete Cms

Name of the Vulnerable Software and Affected Versions: Concrete CMS versions 9.0.0 through 9.4.2 Concrete CMS versions prior to 8.5.21 Description: The software is vulnerable to Reflected Cross-Site Scripting XSS in the Conversation Messages Dashboard Page. Unsanitized input could lead to session...

4.8CVSS5.5AI score0.00317EPSS
Exploits0References11
RedhatCVE
RedhatCVE
added 2025/05/23 10:34 a.m.6 views

CVE-2024-8660

Concrete CMS versions 9.0.0 through 9.3.3 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block. Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the ho...

4.8CVSS5.7AI score0.00273EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 4:51 a.m.8 views

CVE-2023-28471

Concrete CMS previously concrete5 in versions 9.0 through 9.1.3 is vulnerable to Stored XSS via a container name...

5.4CVSS5.5AI score0.00544EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 4:42 a.m.11 views

CVE-2023-48651

Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery CSRF at /ccm/system/dialogs/file/delete/1/submit...

4.3CVSS6.9AI score0.00276EPSS
Exploits0
Rows per page
Query Builder