Lucene search
K

215 matches found

NVD
NVD
added 2026/07/06 5:16 a.m.15 views

CVE-2026-14793

A vulnerability was detected in Craft CMS up to 4.18.0.1. Affected is the function actionReorderSets of the file src/controllers/GlobalsController.php of the component reorder-sets Endpoint. The manipulation results in authorization bypass. The attack can be executed remotely. Upgrading to versio...

5.3CVSS0.00224EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/07/06 3:30 a.m.6 views

CVE-2026-14793

A vulnerability was detected in Craft CMS up to 4.18.0.1. Affected is the function actionReorderSets of the file src/controllers/GlobalsController.php of the component reorder-sets Endpoint. The manipulation results in authorization bypass. The attack can be executed remotely. Upgrading to versio...

5.3CVSS5.7AI score0.00224EPSS
Exploits0References7Affected Software1
CVE
CVE
added 2026/07/06 3:30 a.m.15 views

CVE-2026-14793

The vulnerability affects Craft CMS up to version 4.18.0.1, specifically the function actionReorderSets in src/controllers/GlobalsController.php of the reorder-sets Endpoint. The issue results in an authorization bypass and can be exploited remotely. A fix is available in version 4.18.1, with the...

5.3CVSS5.7AI score0.00224EPSS
Exploits0References6
EUVD
EUVD
added 2026/07/06 3:30 a.m.6 views

EUVD-2026-41804

A vulnerability was detected in Craft CMS up to 4.18.0.1. Affected is the function actionReorderSets of the file src/controllers/GlobalsController.php of the component reorder-sets Endpoint. The manipulation results in authorization bypass. The attack can be executed remotely. Upgrading to versio...

5.3CVSS5.7AI score0.00224EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/07/06 3:30 a.m.34 views

CVE-2026-14793 Craft CMS reorder-sets Endpoint GlobalsController.php actionReorderSets authorization

A vulnerability was detected in Craft CMS up to 4.18.0.1. Affected is the function actionReorderSets of the file src/controllers/GlobalsController.php of the component reorder-sets Endpoint. The manipulation results in authorization bypass. The attack can be executed remotely. Upgrading to versio...

5.3CVSS0.00224EPSS
Exploits0References6
OSV
OSV
added 2026/06/24 4:28 p.m.1 views

CVE-2026-52984 net/sched: netem: fix queue limit check to include reordered packets

In the Linux kernel, the following vulnerability has been resolved: net/sched: netem: fix queue limit check to include reordered packets The queue limit check in netemenqueue uses q-tlen which only counts packets in the internal tfifo. Packets placed in sch-q by the reorder path qdiscenqueuehead...

5.8AI score0.00184EPSS
Exploits0References11
RedhatCVE
RedhatCVE
added 2026/06/05 7:43 p.m.9 views

CVE-2026-8415

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/dialog/express/association/reorder. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N...

8.8CVSS5.5AI score0.0013EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:42 p.m.11 views

CVE-2026-8347

Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity ordering. T...

4.3CVSS5.4AI score0.00175EPSS
Exploits0References1
OSV
OSV
added 2026/05/29 9:57 p.m.9 views

GHSA-RWJR-QJJ3-MQ2F Admidio module-administrator can delete or reorder categories owned by other modules via dead authorization check in `modules/categories.php`

Summary modules/categories.php checks that the supplied type parameter ANN, EVT, ROL, USF, … corresponds to a module the actor administers. The follow-up "is this specific category editable by me" check at lines 56-61 is dead code because it compares $getType a category-type code against mode nam...

6.5CVSS5.9AI score0.00029EPSS
Exploits0References2
NVD
NVD
added 2026/05/22 3:16 p.m.16 views

CVE-2026-8347

Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity...

4.3CVSS0.00175EPSS
Exploits0References1
CVE
CVE
added 2026/05/22 2:6 p.m.29 views

CVE-2026-8347

The CVE-2026-8347 entry affects Concrete CMS 9.5.0 and earlier, where the Express association Reorder dialog is vulnerable to IDOR and wrong-authorization-level handling, enabling cross-entity state tampering under view-only permissions. The issue is triggered by reliance on Express entity orderi...

4.3CVSS5.8AI score0.00175EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/22 2:6 p.m.8 views

CVE-2026-8347 Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in Express association Reorder dialog

Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity...

2.3CVSS5.8AI score0.00175EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/22 2:6 p.m.13 views

EUVD-2026-31442

Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity...

4.3CVSS5.8AI score0.00175EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/22 2:6 p.m.6 views

CVE-2026-8347

Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity...

4.3CVSS5.8AI score0.00175EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/05/22 12:31 a.m.14 views

EUVD-2026-31371

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/dialog/express/association/reorder. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N...

2.3CVSS5.8AI score0.0013EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/22 12:0 a.m.14 views

PT-2026-42773

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1 Description An Insecure Direct Object Reference IDOR and incorrect authorization level exist in the Express association Reorder dialog. This allows for cross-entity state tampering, where a user with...

4.3CVSS5.8AI score0.00175EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/05/22 12:0 a.m.10 views

Concrete CMS 安全漏洞

Concrete CMS is an open-source content management system developed by Concrete CMS. Versions of Concrete CMS 9.5.0 and earlier contain security vulnerabilities. These vulnerabilities stem from insecure direct object references in the Express-associated reorder dialog boxes, as well as incorrect...

4.3CVSS5.8AI score0.00175EPSS
Exploits0References1
NVD
NVD
added 2026/05/21 10:16 p.m.20 views

CVE-2026-8415

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/dialog/express/association/reorder. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N...

8.8CVSS0.0013EPSS
Exploits0References1
CVE
CVE
added 2026/05/21 9:29 p.m.21 views

CVE-2026-8415

Concrete CMS 9.x before 9.5.0 is vulnerable to Cross-Site Request Forgery at the endpoint concrete/controllers/dialog/express/association/reorder. Affected versions include 9.0.0 through 9.4.x. Root cause is CSRF in the reorder action; exploitation details are not provided in the documents beyond...

8.8CVSS5.8AI score0.0013EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/21 9:29 p.m.9 views

CVE-2026-8415 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/dialog/express/association/reorder. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N...

2.3CVSS5.8AI score0.0013EPSS
Exploits0References1
Rows per page
Query Builder