Lucene search
K

4335 matches found

CVE
CVE
added 2026/05/23 6:30 p.m.26 views

CVE-2018-25353

Affected software: Redaxo CMS Mediapool Addon 5.5.1 and older. Vulnerability: Arbitrary file upload via bypassing the extension blacklist, enabled by obfuscated extensions (e.g., php71, php53). Impact: Authenticated editor users can upload executable files, potentially achieving code execution (h...

8.8CVSS6AI score0.00452EPSS
Exploits0References4
NVD
NVD
added 2026/05/21 10:16 p.m.14 views

CVE-2026-8412

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/dialog/page/bulk/cache. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan...

8.8CVSS0.0013EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/21 9:30 p.m.4 views

Concrete CMS is vulnerable to authorization bypass in the Calendar Event Frontend Dialog

Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data...

6.3CVSS5.8AI score0.00211EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/21 9:28 p.m.4 views

CVE-2026-8416

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/backend/file addFavoriteFolder$id. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N...

2.3CVSS5.8AI score0.0013EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/21 9:25 p.m.6 views

CVE-2026-8433 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan()

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/backend/file rescan. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan...

2.3CVSS5.8AI score0.0013EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/21 9:17 p.m.37 views

CVE-2026-7882 Concrete CMS 9.5.0 and below is vulnerable to CSRF via the DeleteFile controller

Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and proceeds with file deletion when the token is invalid or missing. This effectively disables CSRF protecti...

2.3CVSS0.00116EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/21 9:7 p.m.32 views

CVE-2026-7879 Concrete CMS 9.5.0 and below is vulnerable to File Download Authorization Bypass in submit_password()

In Concrete CMS 9.5.0 and below, the submitpassword method in concrete/controllers/singlepage/downloadfile.php allows unauthorized file access since downloading permission-restricted files bypasses the viewfile permission check. Files without passwords can be downloaded and any user who knows a...

6.3CVSS0.00224EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/21 9:4 p.m.10 views

CVE-2026-8238 Concrete CMS 9.5.0 and below is vulnerable to IDOR in '/ccm/frontend/conversations/message_page' allowing unauthenticated read of any conversation message

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/messagepage' endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and th...

6.3CVSS5.8AI score0.00201EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/21 8:56 p.m.8 views

CVE-2026-8204 Concrete CMS 9.5.0 and below is vulnerable to Authorization Bypass in the Calendar Event Frontend Dialog

Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data. The Concrete CMS security team gave this vulnerability a...

6.3CVSS5.8AI score0.00211EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/21 8:31 p.m.8 views

CVE-2026-8203

Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that executes in the context of any visitor's browser, potentially leading to session hijacking, credential...

7.3CVSS5.8AI score0.00122EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.13 views

PT-2026-42577

Name of the Vulnerable Software and Affected Versions Concrete CMS versions 9.0 through 9.4.x Description Cross Site Request Forgery CSRF occurs at the 'concrete/controllers/backend/file' endpoint within the approveVersion function. CSRF is a flaw that allows an attacker to induce a user to perfo...

2.3CVSS5.8AI score0.00115EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/05/21 12:0 a.m.11 views

Concrete CMS 跨站请求伪造漏洞

Concrete CMS is an open-source content management system developed by Concrete CMS. Versions of Concrete CMS prior to 9.5.0 had a cross-site request forgeing vulnerability. This vulnerability was exploited through the concrete/controllers/backend/file rescanMultiple function, making it susceptibl...

8.8CVSS5.7AI score0.0013EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.11 views

PT-2026-42686

Impact Some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks. Patches The issue is resolved in versions...

5.4CVSS5.7AI score0.0018EPSS
Exploits0References6
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.6 views

Astra Linux – Vulnerability in Wireshark

A crash in the CMS protocol dissector in Wireshark versions 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows for denial of service through packet injection or malicious capture files...

7.5CVSS7.1AI score0.01839EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/18 10:7 a.m.41 views

CVE-2026-4320 Authorization Bypass in ICMS Content Management by Creartia Internet Consulting

Authorization Bypass vulnerability in Creartia's ICMS software could allow an attacker to gain unauthorized access to protected features by manipulating the HTTP redirect headers of the login process, causing the script to continue running and enabling privilege escalation without the need for...

9.3CVSS0.00254EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/18 12:0 a.m.14 views

iCMS 安全漏洞

iCMS is a software application. It is a highly efficient and concise content management system built using PHP and MySQL. iCMS has security vulnerabilities, which stem from authorization bypasses. This could allow attackers to gain unauthorized access by manipulating HTTP redirect headers during...

9.3CVSS5.8AI score0.00254EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/18 12:0 a.m.15 views

PT-2026-41665

Authorization Bypass vulnerability in Creartia's ICMS software could allow an attacker to gain unauthorized access to protected features by manipulating the HTTP redirect headers of the login process, causing the script to continue running and enabling privilege escalation without the need for...

9.3CVSS5.8AI score0.00254EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/17 12:0 a.m.10 views

Zenar Content Management System 跨站脚本漏洞

Zenar Content Management System is a set of open-source content management systems developed by the Zenar team. The Zenar Content Management System has a cross-site scripting vulnerability. This vulnerability stems from cross-site scripting, which allows unauthenticated attackers to inject...

6.1CVSS5.6AI score0.00215EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/16 3:25 p.m.9 views

EUVD-2020-31240

CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Attackers can upload SVG files containing embedded JavaScript to the file manager, which executes when othe...

6.4CVSS5.6AI score0.00243EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/16 12:0 a.m.14 views

PT-2026-41437

Composr CMS 10.0.34 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the banner management interface. Attackers with admin credentials can inject XSS payloads in the Description field of the Add banner...

6.4CVSS5.7AI score0.00239EPSS
Exploits0References5
Rows per page
Query Builder