EUVD-2026-31368

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/backend/file removeFavoriteFolder$id. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N...

CVE-2026-8416

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/backend/file addFavoriteFolder$id. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N...

CVE-2026-8416

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/backend/file addFavoriteFolder$id. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N...

CVE-2026-8416 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id)

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/backend/file addFavoriteFolder$id. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N...

CVE-2026-8416

Concrete CMS versions 9.0.0 through 9.4.x are vulnerable to Cross Site Request Forgery (CSRF) in the concrete/controllers/backend/file addFavoriteFolder($id) function. The issue stems from CSRF protection gaps in that endpoint. Public disclosures in multiple sources (including PT-2026-42572) conf...

CVE-2026-8416 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id)

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/backend/file addFavoriteFolder$id. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N...

CVE-2026-8427 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id)

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/backend/file removeFavoriteFolder$id. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N...

CVE-2026-8427 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id)

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/backend/file removeFavoriteFolder$id. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N...

CVE-2026-8427

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/backend/file removeFavoriteFolder$id. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N...

CVE-2026-8427

Concrete CMS versions 9.0.0–9.4.x are affected by a Cross-Site Request Forgery (CSRF) in the endpoint concrete/controllers/backend/file removeFavoriteFolder($id). The issue is caused by insufficient CSRF protection in that function, enabling an attacker to induce authenticated users to perform un...

PT-2026-42573

Name of the Vulnerable Software and Affected Versions Concrete CMS versions 9.0.0 through 9.4.x Description Cross Site Request Forgery CSRF occurs at the 'concrete/controllers/backend/file' endpoint within the removeFavoriteFolder$id function. CSRF is a flaw that allows an attacker to induce a us...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization through the PUT /api/echo/like/:id endpoint, which lacks authentication and rate limiting. An attacker can manipulate the favcount of any echo, including private ones, by sending repeated requests without...

CVE-2026-33759 AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/playlistsVideos.json.php endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists including watchlater and favorite types are...

CVE-2026-33759 AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/playlistsVideos.json.php endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists including watchlater and favorite types are...

ClipBucket 安全漏洞

ClipBucket is an open-source PHP script developed by MacWarrior. It is available for free download and used to create video-sharing websites. Versions of ClipBucket prior to v5.5.3.359 contained a security vulnerability due to a lack of authorization checks, which could lead to modifying other...

Exploit for Injection in Apache Solr

Apache-Solr-RCE-CVE-2019-17558 🛡️ Apache Solr Remote Code E...

CVE-2026-23496

Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an...

CVE-2023-40351

A cross-site request forgery CSRF vulnerability in Jenkins Favorite View Plugin 5.v77a37f62782d and earlier allows attackers to add or remove views from another user's favorite views tab bar...

CVE-2025-23636

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Dimitar A. My Favorite Car my-favorite-cars allows Reflected XSS.This issue affects My Favorite Car: from n/a through = 1.0...

WordPress CBX Bookmark & Favorite plugin <= 2.0.4 - Authenticated (Subscriber+) SQL Injection via `orderby` Parameter vulnerability

Authenticated Subscriber+ SQL Injection via orderby Parameter vulnerability discovered by Muhamad Visat in WordPress Plugin CBX Bookmark & Favorite versions = 2.0.4...