CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added 2026/05/21 10:16 p.m.•6 views

CVE-2026-8139

Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with...

5.4CVSS0.00022EPSS

NVD•added 2026/05/21 10:16 p.m.•8 views

CVE-2026-8237

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The /ccm/frontend/conversations/messagedetail endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and th...

6.3CVSS0.00046EPSS

NVD•added 2026/05/21 10:16 p.m.•8 views

CVE-2026-8238

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/messagepage' endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and th...

6.3CVSS0.00046EPSS

NVD•added 2026/05/21 10:16 p.m.•6 views

CVE-2026-7881

Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference IDOR in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express form submissions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3...

6.3CVSS0.00027EPSS

NVD•added 2026/05/21 10:16 p.m.•8 views

CVE-2026-7879

In Concrete CMS 9.5.0 and below, the submitpassword method in concrete/controllers/singlepage/downloadfile.php allows unauthorized file access since downloading permission-restricted files bypasses the viewfile permission check. Files without passwords can be downloaded and any user who knows a...

6.3CVSS0.0003EPSS

Vulnrichment•added 2026/05/21 9:45 p.m.•3 views

CVE-2026-8139 Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName

2CVSS5.8AI score0.00022EPSS

CVE•added 2026/05/21 9:45 p.m.•11 views

CVE-2026-8139

Concrete CMS versions 9.5.0 and earlier are vulnerable to stored XSS on the external-link page cvName due to updateCollectionAliasExternal bypassing sanitization. The issue is triggered by the sanitize bypass in updateCollectionAliasExternal, enabling stored scripts delivered to users. Affected p...

5.4CVSS5.8AI score0.00022EPSS

Exploits0References1Affected Software1

Cvelist•added 2026/05/21 9:45 p.m.•22 views

CVE-2026-8139 Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName

2CVSS0.00022EPSS

ATTACKERKB•added 2026/05/21 9:45 p.m.•1 views

CVE-2026-8139

2CVSS5.8AI score0.00022EPSS

CVE•added 2026/05/21 9:43 p.m.•7 views

CVE-2026-7890

Concrete CMS 9.5.0 and earlier are affected by a server-side SSRF in the RSS Displayer block that accepts arbitrary feed URLs without validation, enabling redirect-to-internal bypasses. The CVE-2026-7890 entry documents a CVSSv4.0 score of 2.1 (low) with network attack vector and high privileges ...

6.4CVSS5.8AI score0.00024EPSS

Exploits0References1Affected Software1

Cvelist•added 2026/05/21 9:43 p.m.•22 views

CVE-2026-7890 Concrete CMS 9.5.0 is vulnerable to SSRF via RSS Displayer Block

In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with a...

2.1CVSS0.00024EPSS

Vulnrichment•added 2026/05/21 9:43 p.m.•3 views

CVE-2026-7890 Concrete CMS 9.5.0 is vulnerable to SSRF via RSS Displayer Block

2.1CVSS5.8AI score0.00024EPSS

ATTACKERKB•added 2026/05/21 9:43 p.m.•2 views

CVE-2026-7890

2.1CVSS5.8AI score0.00024EPSS

ATTACKERKB•added 2026/05/21 9:40 p.m.•2 views

CVE-2026-8409

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/dialog/logs/delete. The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan...

CVE•added 2026/05/21 9:40 p.m.•8 views

CVE-2026-8409

Concrete CMS 9 before 9.5.0 is vulnerable to Cross-Site Request Forgery (CSRF) at the endpoint concrete/controllers/dialog/logs/delete. This CSRF flaw can enable an attacker to trick a user into submitting a request, with CVSS v4.0 base score 2.3 reported. Remediation: upgrade to Concrete CMS 9.5...

8.8CVSS5.8AI score0.00022EPSS

Exploits0References1Affected Software1

Vulnrichment•added 2026/05/21 9:40 p.m.•3 views

CVE-2026-8409 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete

Cvelist•added 2026/05/21 9:40 p.m.•26 views

CVE-2026-8409 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete

2.3CVSS0.00022EPSS

ATTACKERKB•added 2026/05/21 9:32 p.m.•1 views

CVE-2026-8410

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/dialog/logs/bulk/delete. The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N...

Vulnrichment•added 2026/05/21 9:32 p.m.•3 views

CVE-2026-8410 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete