Lucene search
K

5 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:11 p.m.11 views

CVE-2026-8140

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/. The download method in concrete/controllers/singlepage/dashboard/extend/install.php checks only the canInstallPackages permission before fetching a remote marketplace...

7.5CVSS5.5AI score0.00118EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/21 9:30 p.m.2 views

Cross-site Request Forgery (CSRF)

Overview concrete5/concrete5 is a concrete5 open source CMS. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the /dashboard/extend/update/prepareremoteupgrade/ process. An attacker can execute arbitrary code as the web server user by tricking an authenticat...

8.8CVSS6AI score0.00171EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/21 8:22 p.m.9 views

EUVD-2026-31337

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepareremoteupgrade/. An attacker who controls the remote package returned for a known marketplace item ID can overwrite the package PHP on disk and force its upgrade method to...

7.5CVSS6.5AI score0.00171EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/21 8:20 p.m.8 views

CVE-2026-8140

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/. The download method in concrete/controllers/singlepage/dashboard/extend/install.php checks only the canInstallPackages permission before fetching a remote marketplace...

7.5CVSS5.9AI score0.00118EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.13 views

PT-2026-42541

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/. The download method in concrete/controllers/single page/dashboard/extend/install.php checks only the canInstallPackages permission before fetching a remote marketplace...

7.5CVSS5.9AI score0.00118EPSS
Exploits0References2
Rows per page
Query Builder