PatchSiren cyber security CVE debrief
CVE-2026-8337 Concrete CMS CVE debrief
CVE-2026-8337 affects Concrete CMS 9.5.0 and below when a site is configured with both public and private surveys. In that setup, an unauthenticated attacker may be able to submit a restricted option ID through the public survey endpoint and influence a private survey vote. The CVSS v4.0 score provided by the Concrete CMS security team is 6.3 (Medium), and the issue is primarily an integrity problem rather than a confidentiality or availability issue.
- Vendor
- Concrete CMS
- Product
- Unknown
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Concrete CMS administrators and developers who use the survey feature, especially on sites that host both public and private surveys on the same instance. Security teams should also review any application logic that accepts survey option IDs from unauthenticated public endpoints.
Technical summary
The vulnerability is an insecure direct object reference (IDOR) in survey handling. According to the supplied description, a public survey endpoint can accept a restricted optionID in a way that affects a private survey, allowing vote submission without authentication. The condition appears to require a site configuration that contains both public and private surveys. The supplied NVD metadata also maps the issue to CWE-565 and CWE-639.
Defensive priority
Medium. The issue is unauthenticated, but exploitation depends on a specific site configuration and the impact described in the corpus is limited to integrity. Prioritize it for any Concrete CMS deployment that uses surveys, especially if public and private surveys coexist.
Recommended defensive actions
- Inventory Concrete CMS deployments at version 9.5.0 and below that use the survey feature.
- Check whether the affected site exposes both public and private surveys; treat that combination as at risk.
- Apply the vendor’s official remediation guidance and upgrade to a fixed Concrete CMS release once confirmed in the linked release notes.
- Verify that survey option IDs submitted through public endpoints are server-side validated against the correct survey visibility and ownership rules.
- Monitor logs for public survey submissions that reference restricted option IDs or otherwise unusual vote patterns.
Evidence notes
The CVE description states that Concrete CMS 9.5.0 and below are vulnerable when both public and private surveys are present, and that an unauthenticated attacker can vote in the restricted survey by submitting the restricted optionID through the public survey endpoint. The provided NVD record lists the vuln status as Received, includes the same CVSS v4.0 vector and score, and references the Concrete CMS 9.5.1 release notes page. The corpus also includes the official CVE record and NVD detail page. Publication timing used here is the supplied CVE publishedAt value: 2026-05-21T22:16:50.497Z.
Official resources
-
CVE-2026-8337 CVE record
CVE.org
-
CVE-2026-8337 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ff5b8ace-8b95-4078-9743-eac1ca5451de
Publicly disclosed in the supplied CVE record on 2026-05-21T22:16:50.497Z. No KEV entry is included in the provided corpus.