Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
2.3 LOW
CVE-2026-8410 — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concret…

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete.  The The Concrete CMS security team gave this vulnerability a CVSS v.4.…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.3 LOW
CVE-2026-8411 — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concret…

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 sco…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.3 LOW
CVE-2026-8412 — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concret…

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 sco…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.3 LOW
CVE-2026-8413 — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concret…

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 sco…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.3 LOW
CVE-2026-8414 — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concret…

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/duplicate. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 scor…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.3 LOW
CVE-2026-8415 — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concret…

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder. The Concrete CMS security team gave this vulnerability a CVS…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.3 LOW
CVE-2026-8416 — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concret…

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CV…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
0.0 NA
CVE-2026-6960 — BookingPress Pro <= 5.6 - Unauthenticated Arbitrary File Upload via Signature Custom Field

The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versio…

| Authentication
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.3 LOW
CVE-2026-8427 — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concret…

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.3 LOW
CVE-2026-8432 — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concret…

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score o…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.3 LOW
CVE-2026-8433 — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concret…

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.3 LOW
CVE-2026-8434 — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concret…

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple(). The Concrete CMS security team gave this vulnerability a CVSS v.4…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.3 LOW
CVE-2026-8435 — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concret…

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion(). The Concrete CMS security team gave this vulnerability a CVSS v.4…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.3 LOW
CVE-2026-7887 — For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account S…

For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and r…

Remote | Authorization
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.3 LOW
CVE-2026-7886 — Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attach…

Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass. The `AddMessage` and `UpdateMessage` conversation …

Remote | Authorization
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
2.3 LOW
CVE-2026-7882 — Concrete CMS 9.5.0 and below is vulnerable to CSRF via the DeleteFile controller

Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and procee…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
7.5 HIGH
CVE-2026-8428 — CSRF token is not validated in the core CMS update controller for Concrete CMS 9.5.0 and …

Concrete CMS 9.5.0 and below emits a CSRF token in the local_available_update.php view ($token->output('do_update')) but the corresponding do_update() method in concrete/controllers/single_page/dashb…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
7.5 HIGH
CVE-2026-8426 — Concrete CMS 9.5.0 and below is vulnerable to CSRF on prepare_remote_upgrade() leading to…

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepare_remote_upgrade/<remoteMPID>. An attacker who controls the remote package ret…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
7.5 HIGH
CVE-2026-8421 — Concrete CMS 9.5.0 and below is vulnerable to CSRF on install_package() with conditional …

Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php.  An attacker who can cause an authenticate…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
7.5 HIGH
CVE-2026-8417 — Concrete CMS 9.5.0 and below is vulnerable to CSRF in do_update() in the package update c…

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/<pkgHandle>. The do_update() method in concrete/controllers/single_page/da…

Remote | Cross-Site Request Forgery
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
Showing 20 of 6296 Results