Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

Concrete CMS — Vulnerabilities & Security Advisories 71

Browse all 71 CVE security advisories affecting Concrete CMS. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Concrete CMS is an open-source content management system designed for building and managing websites, primarily targeting small to medium-sized enterprises and organizations requiring flexible content structures. Historically, its codebase has exhibited vulnerabilities typical of PHP-based applications, including remote code execution, cross-site scripting, and privilege escalation flaws. These issues often stem from insufficient input validation and improper access controls within legacy modules. Security audits have identified multiple critical entries, with twenty-seven CVEs currently on record, reflecting persistent challenges in maintaining secure coding practices across its extensive feature set. Notable incidents involve exploited authentication bypasses and file inclusion errors that allowed unauthorized access to sensitive data. While recent updates have addressed many of these weaknesses, the high volume of historical vulnerabilities underscores the necessity for rigorous code review and continuous security monitoring to mitigate risks associated with its widespread deployment in diverse web environments.

Found 70 results / 71Clear Filters
Top products by Concrete CMS: Concrete CMS Concrete CMS
CVE IDTitleCVSSSeverityPublished
CVE-2026-8353 Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in atomik theme — Concrete CMSCWE-79--2026-05-22
CVE-2026-8347 Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in Express association Reorder dialog — Concrete CMSCWE-639--2026-05-22
CVE-2026-8340 Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion — Concrete CMSCWE-352--2026-05-22
CVE-2026-8139 Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName — Concrete CMSCWE-79--2026-05-21
CVE-2026-7890 Concrete CMS 9.5.0 is vulnerable to SSRF via RSS Displayer Block — Concrete CMSCWE-918--2026-05-21
CVE-2026-8409 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete — Concrete CMSCWE-352--2026-05-21
CVE-2026-8410 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete — Concrete CMSCWE-352--2026-05-21
CVE-2026-8411 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete — Concrete CMSCWE-352--2026-05-21
CVE-2026-8412 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache — Concrete CMSCWE-352--2026-05-21
CVE-2026-8413 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design — Concrete CMSCWE-352--2026-05-21
CVE-2026-8414 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/duplicate — Concrete CMSCWE-352--2026-05-21
CVE-2026-8415 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder — Concrete CMSCWE-352--2026-05-21
CVE-2026-8416 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id) — Concrete CMSCWE-352--2026-05-21
CVE-2026-8427 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id) — Concrete CMSCWE-352--2026-05-21
CVE-2026-8432 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star() — Concrete CMSCWE-352--2026-05-21
CVE-2026-8433 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan() — Concrete CMSCWE-352--2026-05-21
CVE-2026-8434 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple() — Concrete CMSCWE-352--2026-05-21
CVE-2026-8435 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion() — Concrete CMSCWE-352--2026-05-21
CVE-2026-7887 For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status — Concrete CMSCWE-1287--2026-05-21
CVE-2026-7886 Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter — Concrete CMSCWE-639--2026-05-21
CVE-2026-7882 Concrete CMS 9.5.0 and below is vulnerable to CSRF via the DeleteFile controller — Concrete CMSCWE-352--2026-05-21
CVE-2026-8327 Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. — Concrete CMSCWE-915--2026-05-21
CVE-2026-8245 Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection — Concrete CMSCWE-83--2026-05-21
CVE-2026-8337 Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys when sites are running concurrent public surveys and private surveys — Concrete CMSCWE-639--2026-05-21
CVE-2026-8240 Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure in Backend\SummaryTemplate — Concrete CMSCWE-284--2026-05-21
CVE-2026-7881 Concrete CMS 9.5.0 and below is vulnerable to IDOR in the Express Entry Detail block — Concrete CMSCWE-639--2026-05-21
CVE-2026-7879 Concrete CMS 9.5.0 and below is vulnerable to File Download Authorization Bypass in submit_password() — Concrete CMSCWE-862--2026-05-21
CVE-2026-8238 Concrete CMS 9.5.0 and below is vulnerable to IDOR in '/ccm/frontend/conversations/message_page' allowing unauthenticated read of any conversation message — Concrete CMSCWE-862--2026-05-21
CVE-2026-8237 Concrete CMS 9.5.0 and below is vulnerable to IDOR in the`/ccm/frontend/conversations/message_detail` endpoint — Concrete CMSCWE-862--2026-05-21
CVE-2026-8239 Concrete CMS 9.5.0 and below is vulnerable to IDOR in '/ccm/frontend/conversations/get_rating' — Concrete CMSCWE-862--2026-05-21

This page lists every published CVE security advisory associated with Concrete CMS. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.