https://cvealert.net/vendors/concretecms/Recent content in Concretecms on CVE Alert & Security FeedHugoen-usFri, 22 May 2026 15:16:26 +0000https://cvealert.net/posts/cve-2026-8340/Fri, 22 May 2026 15:16:26 +0000https://cvealert.net/posts/cve-2026-8340/Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with edit_file_contents permission is CSRF’d into publishing an attacker-chosen previously-uploaded version (downgrade to an older version of a file, or activation of a co-editor’s unpublished version). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.https://cvealert.net/posts/cve-2026-8347/Fri, 22 May 2026 15:16:26 +0000https://cvealert.net/posts/cve-2026-8347/Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog.  This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity ordering. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.https://cvealert.net/posts/cve-2026-8353/Fri, 22 May 2026 15:16:26 +0000https://cvealert.net/posts/cve-2026-8353/Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.