Concretecms Concrete Cms — known CVE vulnerabilities
Every CVE whose affected-product data names Concretecms Concrete Cms, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (154)
CVE-2023-48648 — CVSS 9.8 (critical): Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions…
CVE-2021-40098 — CVSS 9.8 (critical): An issue was discovered in Concrete CMS through 8.5.5. Path Traversal leading to RCE via external form by adding a regular expression.
CVE-2022-21829 — CVSS 9.8 (critical): Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which…
CVE-2021-22958 — CVSS 9.8 (critical): A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP address to bypass the…
CVE-2022-30117 — CVSS 9.1 (critical): Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in…
CVE-2021-40102 — CVSS 9.1 (critical): An issue was discovered in Concrete CMS through 8.5.5. Arbitrary File deletion can occur via PHAR deserialization in is_dir (PHP Object…
CVE-2026-8428 — CVSS 8.8 (high): Concrete CMS 9.5.0 and below emits a CSRF token in the local_available_update.php view ($token->output('do_update')) but the corresponding…
CVE-2026-8427 — CVSS 8.8 (high): Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id…
CVE-2026-8426 — CVSS 8.8 (high): Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepare_remote_upgrade/<r…
CVE-2026-8417 — CVSS 8.8 (high): Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/<pkgHandle>…
CVE-2026-8421 — CVSS 8.8 (high): Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/ext…
CVE-2022-43693 — CVSS 8.8 (high): Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete…
CVE-2026-8434 — CVSS 8.8 (high): Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple(). The…
CVE-2026-8433 — CVSS 8.8 (high): Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan(). The Concrete…
CVE-2026-8432 — CVSS 8.8 (high): Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star(). The Concrete…
CVE-2026-8416 — CVSS 8.8 (high): Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id)…
CVE-2021-22954 — CVSS 8.8 (high): A cross-site request forgery vulnerability exists in Concrete CMS <v9 that could allow an attacker to make requests on behalf of other…
CVE-2021-22966 — CVSS 8.8 (high): Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted "view" permissions…
CVE-2026-8415 — CVSS 8.8 (high): Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder…
CVE-2026-8414 — CVSS 8.8 (high): Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/duplicate. The Concrete…
CVE-2026-8413 — CVSS 8.8 (high): Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design. The…
CVE-2021-40097 — CVSS 8.8 (high): An issue was discovered in Concrete CMS through 8.5.5. Authenticated path traversal leads to to remote code execution via uploaded PHP…
CVE-2026-8412 — CVSS 8.8 (high): Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache. The Concrete…
CVE-2026-8411 — CVSS 8.8 (high): Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete. The…
CVE-2026-8410 — CVSS 8.8 (high): Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete. The The…
CVE-2021-40108 — CVSS 8.8 (high): An issue was discovered in Concrete CMS through 8.5.5. The Calendar is vulnerable to CSRF. ccm_token is not verified on the…
CVE-2026-8409 — CVSS 8.8 (high): Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete. The The Concrete…
CVE-2026-8350 — CVSS 8.8 (high): Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation…
CVE-2021-22970 — CVSS 7.5 (high): Concrete CMS (formerly concrete5) versions 8.5.6 and below and version 9.0.0 allow local IP importing causing the system to be vulnerable…
CVE-2021-40103 — CVSS 7.5 (high): An issue was discovered in Concrete CMS through 8.5.5. Path Traversal can lead to Arbitrary File Reading and SSRF.
CVE-2021-22967 — CVSS 7.5 (high): In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to…
CVE-2021-22951 — CVSS 7.5 (high): Unauthorized individuals could view password protected files using view_inline in Concrete CMS (previously concrete 5) prior to version…
CVE-2026-3452 — CVSS 7.2 (high): Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block…
CVE-2020-24986 — CVSS 7.2 (high): Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File Manager. It is…
CVE-2021-40099 — CVSS 7.2 (high): An issue was discovered in Concrete CMS through 8.5.5. Fetching the update json scheme over HTTP leads to remote code execution.
CVE-2021-40101 — CVSS 7.2 (high): An issue was discovered in Concrete CMS before 8.5.7. The Dashboard allows a user's password to be changed without a prompt for the current…
CVE-2020-11476 — CVSS 7.2 (high): Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file.
CVE-2026-8134 — CVSS 7.2 (high): Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when…
CVE-2018-13790 — CVSS 7.2 (high): A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to attacks on the local…
CVE-2021-22968 — CVSS 7.2 (high): A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS…
CVE-2021-36766 — CVSS 7.2 (high): Concrete5 through 8.5.5 deserializes Untrusted Data. The vulnerable code is located within the controllers/single_page/dashboard/system/envi…
CVE-2026-8135 — CVSS 7.2 (high): Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block…
CVE-2026-2994 — CVSS 6.8 (medium): Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id…
CVE-2026-8140 — CVSS 6.5 (medium): Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/<remoteId>…
CVE-2022-43686 — CVSS 6.5 (medium): In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing…
CVE-2026-8435 — CVSS 6.5 (medium): Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion(). The…
CVE-2025-3153 — CVSS 6.5 (medium): Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable to CSRF and XSS in the Concrete CMS Address attribute…
CVE-2021-22950 — CVSS 6.5 (medium): Concrete CMS prior to 8.5.6 had a CSFR vulnerability allowing attachments to comments in the conversation section to be deleted.Credit for…
CVE-2026-30662 — CVSS 6.5 (medium): ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in…
CVE-2017-8082 — CVSS 6.5 (medium): concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire installation by…
CVE-2026-7887 — CVSS 6.4 (medium): For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned…
CVE-2021-40109 — CVSS 6.4 (medium): A SSRF issue was discovered in Concrete CMS through 8.5.5. Users can access forbidden files on their local network. A user with permissions…
CVE-2026-7890 — CVSS 6.4 (medium): In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without…
CVE-2022-43690 — CVSS 6.3 (medium): Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that…
CVE-2023-28475 — CVSS 6.1 (medium): Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply…
CVE-2022-30120 — CVSS 6.1 (medium): XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled…
CVE-2022-30119 — CVSS 6.1 (medium): XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient…
CVE-2022-43692 — CVSS 6.1 (medium): Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS - user can cause an administrator…
CVE-2022-43967 — CVSS 6.1 (medium): Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to…
CVE-2022-30118 — CVSS 6.1 (medium): Title for CVE: XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet…
CVE-2021-40106 — CVSS 6.1 (medium): An issue was discovered in Concrete CMS through 8.5.5. There is unauthenticated stored XSS in blog comments via the website field.
CVE-2022-43556 — CVSS 6.1 (medium): Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result…
CVE-2017-7725 — CVSS 6.1 (medium): concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "canonical" URL on…
CVE-2022-43694 — CVSS 6.1 (medium): Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library…
CVE-2022-43968 — CVSS 6.1 (medium): Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to…
CVE-2023-28477 — CVSS 5.5 (medium): Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to stored XSS on API Integrations via…
CVE-2023-44765 — CVSS 5.4 (medium): A Cross Site Scripting (XSS) vulnerability in Concrete CMS versions 8.5.12 and below, and 9.0 through 9.2.1 allows an attacker to execute…
CVE-2023-28471 — CVSS 5.4 (medium): Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS via a container name.
CVE-2023-28474 — CVSS 5.4 (medium): Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Saved Presets on search.
CVE-2023-28476 — CVSS 5.4 (medium): Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Tags on uploaded files.
CVE-2023-44761 — CVSS 5.4 (medium): Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS versions affected to 8.5.13 and below, and 9.0.0 through 9.2.1 allow a…
CVE-2023-44762 — CVSS 5.4 (medium): A Cross Site Scripting (XSS) vulnerability in Concrete CMS from versions 9.2.0 to 9.2.2 allows an attacker to execute arbitrary code via a…
CVE-2023-44763 — CVSS 5.4 (medium): Concrete CMS v9.2.1 is affected by an Arbitrary File Upload vulnerability via a Thumbnail file upload, which allows Cross-Site Scripting…
CVE-2023-44764 — CVSS 5.4 (medium): A Cross Site Scripting (XSS) vulnerability in Concrete CMS before 9.2.3 exists via the Name parameter during installation (aka Site of…
CVE-2021-22949 — CVSS 5.4 (medium): A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to duplicate files which can lead to UI inconvenience, and exhaustion of…
CVE-2021-22953 — CVSS 5.4 (medium): A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to clone topics which can lead to UI inconvenience, and exhaustion of…
CVE-2021-28145 — CVSS 5.4 (medium): Concrete CMS (formerly concrete5) before 8.5.5 allows remote authenticated users to conduct XSS attacks via a crafted survey block. This…
CVE-2021-40100 — CVSS 5.4 (medium): An issue was discovered in Concrete CMS through 8.5.5. Stored XSS can occur in Conversations when the Active Conversation Editor is set to…
CVE-2026-8245 — CVSS 5.4 (medium): Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Paginati…
CVE-2026-8203 — CVSS 5.4 (medium): Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with…
CVE-2024-7398 — CVSS 5.4 (medium): Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because…
CVE-2026-8139 — CVSS 5.4 (medium): Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being…
CVE-2022-43687 — CVSS 5.4 (medium): Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth…
CVE-2026-8239 — CVSS 5.3 (medium): Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/get_rating' endpoint confirms existence and returns…
CVE-2026-8238 — CVSS 5.3 (medium): Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/message_page' endpoint returns the full content of any…
CVE-2026-8237 — CVSS 5.3 (medium): Concrete CMS 9.5.0 and below is vulnerable to IDOR. The `/ccm/frontend/conversations/message_detail` endpoint returns the full content of…
CVE-2026-8205 — CVSS 5.3 (medium): Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on…
CVE-2026-8204 — CVSS 5.3 (medium): Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar…
CVE-2022-43691 — CVSS 5.3 (medium): Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information…
CVE-2026-7879 — CVSS 5.3 (medium): In Concrete CMS 9.5.0 and below, the submit_password() method in concrete/controllers/single_page/download_file.php allows unauthorized…
CVE-2022-43689 — CVSS 5.3 (medium): Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure.
CVE-2026-6826 — CVSS 5.3 (medium): Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller…
CVE-2023-28472 — CVSS 5.3 (medium): Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 does not have Secure and HTTP only attributes set for…
CVE-2021-22969 — CVSS 5.3 (medium): Concrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability…
CVE-2026-8337 — CVSS 5.3 (medium): Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both…
CVE-2017-18195 — CVSS 5.3 (medium): An issue was discovered in tools/conversations/view_ajax.php in Concrete5 before 8.3.0. An unauthenticated user can enumerate comments from…
CVE-2026-8240 — CVSS 5.3 (medium): Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure across every page with a configured summary…
CVE-2014-5107 — CVSS 5.0 (medium): concrete5 before 5.6.3 allows remote attackers to obtain the installation path via a direct request to (1) system/basics/editor.php, (2)…
CVE-2024-8661 — CVSS 4.8 (medium): Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in the "Next&Previous Nav" block. A rogue administrator…
CVE-2026-3241 — CVSS 4.8 (medium): In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the "Legacy Form" block. An authenticated…
CVE-2026-3242 — CVSS 4.8 (medium): In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concrete CMS security team…
CVE-2026-3244 — CVSS 4.8 (medium): In Concrete CMS below version 9.4.8, A stored cross-site scripting (XSS) vulnerability exists in the search block where page names and…
CVE-2022-43688 — CVSS 4.8 (medium): Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in icons…
CVE-2025-8573 — CVSS 4.8 (medium): Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page. Version 8 was not affected…
CVE-2025-8571 — CVSS 4.8 (medium): Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages…
CVE-2025-0660 — CVSS 4.8 (medium): Concrete CMS versions 9.0.0 through 9.3.9 are affected by a stored XSS in Folder Function.The "Add Folder" functionality lacks input…
CVE-2022-43695 — CVSS 4.8 (medium): Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in…
CVE-2026-3240 — CVSS 4.8 (medium): In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards…
CVE-2024-8660 — CVSS 4.8 (medium): Concrete CMS versions 9.0.0 through 9.3.3 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block. Since the "Top…
CVE-2024-8291 — CVSS 4.8 (medium): Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in Image Editor Background Color. A rogue admin could…
CVE-2024-7512 — CVSS 4.8 (medium): Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. A rogue administrator could inject…
CVE-2026-8197 — CVSS 4.8 (medium): Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name. The OAuth authorize template renders the integration…
CVE-2024-7394 — CVSS 4.8 (medium): Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName(). A rogue administrator could…
CVE-2024-4353 — CVSS 4.8 (medium): Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance…
CVE-2024-4350 — CVSS 4.8 (medium): Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later…
CVE-2026-8353 — CVSS 4.8 (medium): Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary…
CVE-2021-3111 — CVSS 4.8 (medium): The Express Entries Dashboard in Concrete5 8.5.4 allows stored XSS via the name field of a new data object at an index.php/dashboard/express…
CVE-2023-48650 — CVSS 4.8 (medium): Concrete CMS before 8.5.14 and 9 before 9.2.3 is vulnerable to an admin adding a stored XSS payload via the Layout Preset name.
CVE-2023-44766 — CVSS 4.8 (medium): A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to the…
CVE-2018-19146 — CVSS 4.8 (medium): Concrete5 8.4.3 has XSS because config/concrete.php allows uploads (by administrators) of SVG files that may contain HTML data with a…
CVE-2023-44760 — CVSS 4.8 (medium): Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted…
CVE-2023-48651 — CVSS 4.3 (medium): Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) at /ccm/system/dialogs/file/delete/1/submit.
CVE-2023-48652 — CVSS 4.3 (medium): Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) via /ccm/system/dialogs/logs/delete_all/submit. An attacker…
CVE-2026-8236 — CVSS 4.3 (medium): Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/…
CVE-2026-8327 — CVSS 4.3 (medium): Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile…
CVE-2014-5108 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in single_pages\download_file.php in concrete5 before 5.6.3 allows remote attackers to inject…
CVE-2026-8340 — CVSS 4.3 (medium): Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with edit_file_contents permission is CSRF'd…
CVE-2026-8347 — CVSS 4.3 (medium): Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause…
CVE-2014-9526 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in concrete5 5.7.2.1, 5.7.2, and earlier allow remote attackers to inject arbitrary web…
CVE-2026-7882 — CVSS 4.3 (medium): Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller…
CVE-2026-7886 — CVSS 4.3 (medium): Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file…
CVE-2023-48653 — CVSS 4.3 (medium): Concrete CMS before 8.5.14 and 9 before 9.2.3 allows Cross Site Request Forgery (CSRF) via ccm/calendar/dialogs/event/delete/submit. An…
CVE-2026-7881 — CVSS 4.3 (medium): Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block via the exEntryID…
CVE-2023-48649 — CVSS 3.5 (low): Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name.
CVE-2023-28819 — CVSS 3.5 (low): Concrete CMS (previously concrete5) versions 8.5.12 and below, 9.0.0 through 9.0.2 is vulnerable to Stored XSS in uploaded file and folder…
CVE-2023-28473 — CVSS 3.3 (low): Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to possible Auth bypass in the jobs…
CVE-2024-3179 — CVSS 3.1 (low): Concrete CMS version 9 before 9.2.8 and previous versions before 8.5.16 are vulnerable to Stored XSS in the Custom Class page editing…
CVE-2024-3178 — CVSS 3.1 (low): Concrete CMS versions 9 below 9.2.8 and versions below 8.5.16 are vulnerable to Cross-site Scripting (XSS) in the Advanced File Search…
CVE-2024-3181 — CVSS 3.1 (low): Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored XSS in the Search Field. Prior to the…
CVE-2024-3180 — CVSS 3.1 (low): Concrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 is vulnerable to Stored XSS in blocks of type file. Stored XSS could…
CVE-2024-1245 — CVSS 2.4 (low): Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file…
CVE-2023-49337 — CVSS 2.4 (low): Concrete CMS before 9.2.3 allows Stored XSS on the Admin Dashboard via /dashboard/system/basics/name. (8.5 and earlier are unaffected.)
CVE-2024-2179 — CVSS 2.2 (low): Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type since there is insufficient validation…
CVE-2024-1247 — CVSS 2.0 (low): Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of…
CVE-2024-2753 — CVSS 2.0 (low): Concrete CMS version 9 before 9.2.8 and previous versions prior to 8.5.16 is vulnerable to Stored XSS on the calendar color settings screen…
CVE-2023-28820 — CVSS 2.0 (low): Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element…
CVE-2024-1246 — CVSS 2.0 (low): Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of…