PatchSiren cyber security CVE debrief
CVE-2026-8240 Concrete CMS CVE debrief
CVE-2026-8240 affects Concrete CMS 9.5.0 and below. When a page uses a configured summary template, an unauthenticated requester can learn metadata about pages that should remain hidden, including the existence of private, draft, and restricted pages, along with title, path, description, and author information. The published CVSS v4.0 score is 6.3 (Medium), reflecting a confidentiality issue driven by network-accessible, unauthenticated exposure.
- Vendor
- Concrete CMS
- Product
- Unknown
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Organizations running Concrete CMS sites, especially those that use summary templates on pages that may include private, draft, or restricted content. Security teams, CMS administrators, and content editors should care because the issue can reveal unpublished site structure and page details without authentication.
Technical summary
According to the supplied NVD summary, Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure across pages that have a configured summary template. The exposure leaks whether hidden pages exist and reveals title, path, description, and author metadata. The supplied CVSS vector is CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N, and the cited weakness mapping is CWE-284.
Defensive priority
Medium. This is a confidentiality-focused issue that can expose sensitive site structure and unpublished content metadata, which may aid reconnaissance or privacy-sensitive discovery. Prioritize if your site uses summary templates for content segregation or contains restricted editorial content.
Recommended defensive actions
- Review whether any public-facing Concrete CMS pages use summary templates that could expose metadata for non-public content.
- Check the Concrete CMS 9.5.1 release notes referenced in the source material for vendor remediation guidance.
- Apply the vendor's fixed release or patch guidance once confirmed in your environment.
- Audit page templates and content permissions to reduce unnecessary exposure of titles, paths, descriptions, and author fields.
- Monitor logs and page output for unexpected disclosure of hidden page metadata until remediation is complete.
Evidence notes
All claims in this debrief are drawn from the supplied CVE record and its NVD summary. The description explicitly states Concrete CMS 9.5.0 and below are affected, that the issue is unauthenticated, and that summary templates can expose private, draft, and restricted page metadata. The supplied source reference points to Concrete CMS 9.5.1 release notes, but the corpus does not provide the release note contents, so no specific fixed-version claim is made beyond referencing the official link.
Official resources
-
CVE-2026-8240 CVE record
CVE.org
-
CVE-2026-8240 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ff5b8ace-8b95-4078-9743-eac1ca5451de
Publicly disclosed via the official CVE/NVD record on 2026-05-21. The supplied record credits Winston Crooker for reporting.