Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.3 MEDIUM
CVE-2026-8236 — Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication…

Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/{fID} accepts an integer file ID in the URL and returns int…

Remote | Authorization
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.0 LOW
CVE-2026-8139 — Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName

Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnera…

Remote | Cross-Site Scripting
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.1 LOW
CVE-2026-7890 — Concrete CMS 9.5.0 is vulnerable to SSRF via RSS Displayer Block

In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses.  The Concrete CM…

Remote | Server-Side Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.3 LOW
CVE-2026-7887 — For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account S…

For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and r…

Remote | Authorization
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.3 LOW
CVE-2026-7886 — Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attach…

Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass. The `AddMessage` and `UpdateMessage` conversation …

Remote | Authorization
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.3 LOW
CVE-2026-7882 — Concrete CMS 9.5.0 and below is vulnerable to CSRF via the DeleteFile controller

Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and procee…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
6.3 MEDIUM
CVE-2026-7881 — Concrete CMS 9.5.0 and below is vulnerable to IDOR in the Express Entry Detail block

Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express…

Remote | Authorization
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
6.3 MEDIUM
CVE-2026-7879 — Concrete CMS 9.5.0 and below is vulnerable to File Download Authorization Bypass in submi…

In Concrete CMS 9.5.0 and below,  the submit_password() method in concrete/controllers/single_page/download_file.php allows unauthorized file access since downloading permission-restricted files bypa…

Remote | Authorization
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
9.8 CRITICAL
CVE-2026-6960 — BookingPress Pro <= 5.6 - Unauthenticated Arbitrary File Upload via Signature Custom Field

The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versio…

Remote | Authentication
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
0.0 NA
CVE-2026-5091 — Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timi…

Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess…

| Authentication
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
5.1 MEDIUM
CVE-2026-4929 — Simple Hierarchical Select (Drupal 7) XSS in term-derived output

Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_fie…

Remote | Cross-Site Scripting
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
5.1 MEDIUM
CVE-2026-4093 — Stored XSS in Drupal 7 Term Reference Tree module (token display templates and term label…

In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline. Vector A (token display templates): When the Token module is enabled and token di…

Remote | Cross-Site Scripting
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
5.4 MEDIUM
CVE-2026-22678 — Webmin < 2.641 Stored XSS via System and Server Status

Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attack…

Remote | Cross-Site Scripting
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
7.5 HIGH
CVE-2026-8428 — CSRF token is not validated in the core CMS update controller for Concrete CMS 9.5.0 and …

Concrete CMS 9.5.0 and below emits a CSRF token in the local_available_update.php view ($token->output('do_update')) but the corresponding do_update() method in concrete/controllers/single_page/dashb…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
7.5 HIGH
CVE-2026-8426 — Concrete CMS 9.5.0 and below is vulnerable to CSRF on prepare_remote_upgrade() leading to…

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepare_remote_upgrade/<remoteMPID>. An attacker who controls the remote package ret…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
7.5 HIGH
CVE-2026-8421 — Concrete CMS 9.5.0 and below is vulnerable to CSRF on install_package() with conditional …

Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php.  An attacker who can cause an authenticate…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
7.5 HIGH
CVE-2026-8417 — Concrete CMS 9.5.0 and below is vulnerable to CSRF in do_update() in the package update c…

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/<pkgHandle>. The do_update() method in concrete/controllers/single_page/da…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
7.5 HIGH
CVE-2026-8350 — Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assi…

Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access …

Remote | Authorization
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
6.3 MEDIUM
CVE-2026-8205 — Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in Calendar Block sinc…

Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being…

Remote | Authorization
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
6.3 MEDIUM
CVE-2026-8204 — Concrete CMS 9.5.0 and below is vulnerable to Authorization Bypass in the Calendar Event …

Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot…

Remote | Authorization
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
Showing 20 of 6253 Results