EUVD-2026-31347

Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/fID accepts an integer file ID in the URL and returns internal site structure data page IDs, versions, URL paths to anyone who sends a GET request. The...

CVE-2026-8236

Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/fID accepts an integer file ID in the URL and returns internal site structure data page IDs, versions, URL paths to anyone who sends a GET request. The...

CVE-2026-6826

Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/fID with any file ID and receive a list of every page that references that file,...

CVE-2026-8236 Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate for endpoint /ccm/system/dialogs/file/usage/{fID}

Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/fID accepts an integer file ID in the URL and returns internal site structure data page IDs, versions, URL paths to anyone who sends a GET request. The...

CVE-2026-8236

Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/fID accepts an integer file ID in the URL and returns internal site structure data page IDs, versions, URL paths to anyone who sends a GET request. The...

CVE-2026-8236

Concrete CMS 9.5.0 and earlier is affected by an IDOR flaw due to a missing authentication gate on GET requests to /ccm/system/dialogs/file/usage/{fID}. The endpoint accepts an integer file ID and can disclose internal site structure data (page IDs, versions, URL paths) to unauthenticated users. ...

CVE-2026-8236 Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate for endpoint /ccm/system/dialogs/file/usage/{fID}

Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/fID accepts an integer file ID in the URL and returns internal site structure data page IDs, versions, URL paths to anyone who sends a GET request. The...

CVE-2026-6826 Concrete 9.5.0 and below has file usage disclosure via missing permission check in Usage controller

Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/fID with any file ID and receive a list of every page that references that file,...

EUVD-2026-31344

Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/fID with any file ID and receive a list of every page that references that file,...

CVE-2026-6826

Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure due to a missing permission check in the usage controller. An unauthenticated visitor can access /ccm/system/dialogs/file/usage/{fID} with any file ID and obtain a list of every page referencing that file, includi...

CVE-2026-6826 Concrete 9.5.0 and below has file usage disclosure via missing permission check in Usage controller

Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/fID with any file ID and receive a list of every page that references that file,...

PT-2026-42558

Name of the Vulnerable Software and Affected Versions Concrete CMS versions 9.5.0 and earlier Description An Insecure Direct Object Reference IDOR, which occurs when an application provides direct access to objects based on user-supplied input, combined with a missing authentication gate allows...

PT-2026-42540

Name of the Vulnerable Software and Affected Versions Concrete CMS versions 9.5.0 and earlier Description An issue exists where a missing permission check in the usage controller allows unauthenticated visitors to disclose file usage information. By requesting the endpoint...

Concrete CMS 信息泄露漏洞

Concrete CMS is an open-source content management system developed by Concrete CMS. Versions of Concrete CMS 9.5.0 and earlier had a vulnerability related to information leakage. This vulnerability stemmed from insufficient permission checks in the use of controllers, which could allow...

CVE-2026-33247

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv the command-line, then those credentials are visible to any user who can see the...

curl: Bearer Token Leaked to Attacker via .netrc Despite CVE-2026-3783 Fix

curl versions 8.19.0 and later were meant to fix CVE-2026-3783, which causes OAuth2 bearer tokens to leak on HTTP redirects when the user has a .netrc file configured. However, the vulnerability still exists in the current codebase. VULNERABILITY: When a curl user specifies an OAuth2 bearer token...

UBUNTU-CVE-2025-13353

In gokey versions 0.2.0, a flaw in the seed decryption logic resulted in passwords incorrectly being derived solely from the initial vector and the AES-GCM authentication tag of the key seed. This issue has been fixed in gokey version 0.2.0. This is a breaking change. The fix has invalidated any...

Insecure Temporary File Usage

llama-index-core is vulnerable to Insecure Temporary File Usage. The vulnerability is due to the use of a predictable hardcoded cache directory /tmp/llamaindex in getcachedir, where attackers on multi-user Linux systems can steal cached model data, poison embeddings, or exploit symlink race...

EUVD-2025-31584

Malicious code in bioql PyPI...

CVE-2025-34233

Vasion Print (formerly PrinterLogic) Virtual Appliance Host before 25.1.102 and Application before 25.1.1413 are affected by a protection mechanism failure in the file_get_contents()/CURL usage. When an administrator configures a printer hostname (or similar callback field), the value is passed u...