Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
2.3 LOW
CVE-2026-8412 — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concret…

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 sco…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.3 LOW
CVE-2026-8411 — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concret…

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 sco…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.3 LOW
CVE-2026-8410 — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concret…

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete.  The The Concrete CMS security team gave this vulnerability a CVSS v.4.…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.3 LOW
CVE-2026-8409 — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concret…

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete.  The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 sco…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
6.3 MEDIUM
CVE-2026-8337 — Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys when sites are running conc…

Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unau…

Remote | Authorization
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
5.3 MEDIUM
CVE-2026-8327 — Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorizati…

Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo…

Remote | Authentication
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
6.0 MEDIUM
CVE-2026-8245 — Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML…

Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Pagination builds pagination links by raw-interpolating its $URL fi…

Remote | Cross-Site Scripting
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
6.3 MEDIUM
CVE-2026-8240 — Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure in…

Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure across every page with a configured summary template, revealing the existence of private, draft, and restricted …

Remote | Information Disclosure
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
6.3 MEDIUM
CVE-2026-8239 — Concrete CMS 9.5.0 and below is vulnerable to IDOR in '/ccm/frontend/conversations/get_ra…

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/get_rating' endpoint confirms existence and returns rating score for any message by ID. The Concrete CMS security …

Remote | Authorization
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
6.3 MEDIUM
CVE-2026-8238 — Concrete CMS 9.5.0 and below is vulnerable to IDOR in '/ccm/frontend/conversations/messag…

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/message_page' endpoint returns the full content of any conversation message. An unauthenticated attacker can enume…

Remote | Authorization
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
6.3 MEDIUM
CVE-2026-8237 — Concrete CMS 9.5.0 and below is vulnerable to IDOR in the`/ccm/frontend/conversations/mes…

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The `/ccm/frontend/conversations/message_detail` endpoint returns the full content of any conversation message. An unauthenticated attacker can enu…

Remote | Authorization
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
6.3 MEDIUM
CVE-2026-8236 — Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication…

Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/{fID} accepts an integer file ID in the URL and returns int…

Remote | Authorization
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.0 LOW
CVE-2026-8139 — Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName

Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnera…

Remote | Cross-Site Scripting
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.1 LOW
CVE-2026-7890 — Concrete CMS 9.5.0 is vulnerable to SSRF via RSS Displayer Block

In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses.  The Concrete CM…

Remote | Server-Side Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.3 LOW
CVE-2026-7887 — For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account S…

For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and r…

Remote | Authorization
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.3 LOW
CVE-2026-7886 — Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attach…

Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass. The `AddMessage` and `UpdateMessage` conversation …

Remote | Authorization
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.3 LOW
CVE-2026-7882 — Concrete CMS 9.5.0 and below is vulnerable to CSRF via the DeleteFile controller

Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and procee…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
6.3 MEDIUM
CVE-2026-7881 — Concrete CMS 9.5.0 and below is vulnerable to IDOR in the Express Entry Detail block

Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express…

Remote | Authorization
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
6.3 MEDIUM
CVE-2026-7879 — Concrete CMS 9.5.0 and below is vulnerable to File Download Authorization Bypass in submi…

In Concrete CMS 9.5.0 and below,  the submit_password() method in concrete/controllers/single_page/download_file.php allows unauthorized file access since downloading permission-restricted files bypa…

Remote | Authorization
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
9.8 CRITICAL
CVE-2026-6960 — BookingPress Pro <= 5.6 - Unauthenticated Arbitrary File Upload via Signature Custom Field

The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versio…

Remote | Authentication
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
Showing 20 of 6265 Results