These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-8435 describes a cross-site request forgery issue in Concrete CMS 9 before 9.5.0 affecting the file version approval controller action concrete/controllers/backend/file approveVersion(). NVD assigns a low CVSS v4.0 score of 2.3 and lists CWE-352 along with CWE-1275. The issue was publicly recorded on 2026-05-21, and the supplied vendor reference points to Concrete CMS 9.5.0 release notes as the r [truncated]
CVE-2026-8433 is a low-severity CSRF issue affecting Concrete CMS 9 before 9.5.0. The vulnerable path is concrete/controllers/backend/file rescan(), and the vendor-assigned CVSS v4.0 score is 2.3 with a vector indicating network reachability, required user interaction, and limited integrity impact. The issue was publicly recorded on 2026-05-21, and the supplied corpus identifies Yonatan Drori (Tenzai) as [truncated]
CVE-2026-8432 is a Cross-Site Request Forgery (CSRF) issue affecting Concrete CMS 9 before 9.5.0, specifically in concrete/controllers/backend/file star(). The vulnerability was assigned a CVSS v4.0 score of 2.3 (LOW) with a vector indicating network reachability, required user interaction, and low integrity impact. The practical takeaway is straightforward: organizations running affected Concrete CMS 9 d [truncated]
CVE-2026-8427 is a low-severity Cross-Site Request Forgery issue in Concrete CMS 9 before 9.5.0. The vulnerable path is concrete/controllers/backend/file removeFavoriteFolder($id), and the Concrete CMS security team assigned CVSS v4.0 2.3 (AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N). The issue was publicly recorded on 2026-05-21 and reported by Yonatan Drori (Tenzai).
CVE-2026-8416 is a low-severity CSRF issue in Concrete CMS 9 before 9.5.0. The affected backend controller action can be triggered in a way that may cause an authenticated user’s browser to perform an unintended favorite-folder change. The issue was reported by Yonatan Drori (Tenzai) and assigned a CVSS v4.0 score of 2.3.
CVE-2026-8415 is a low-severity CSRF issue in Concrete CMS 9 versions before 9.5.0. The affected path is concrete/controllers/dialog/express/association/reorder, and the vendor states the fix is available in 9.5.0. NVD and the Concrete CMS release notes both point to this issue, which was reported by Yonatan Drori (Tenzai).
CVE-2026-8414 is a low-severity CSRF issue affecting Concrete CMS 9 versions before 9.5.0. The vulnerable endpoint is identified as concrete/controllers/dialog/event/duplicate. Because CSRF can cause a logged-in user’s browser to submit unintended actions, administrators should review any Concrete CMS 9 deployments and update to a fixed version.
CVE-2026-8413 is a Cross Site Request Forgery (CSRF) issue in Concrete CMS 9 before 9.5.0, affecting concrete/controllers/dialog/page/bulk/design. The vendor-assigned CVSS v4.0 score is 2.3 (LOW), reflecting that the impact is limited but still capable of causing unintended changes when a victim with an active session is tricked into submitting a request. The record credits Yonatan Drori (Tenzai) for reporting.
CVE-2026-8412 is a low-severity CSRF issue in Concrete CMS 9 before 9.5.0, affecting the bulk cache controller path. The CVE was published on 2026-05-21 and scored CVSS v4.0 2.3, indicating a network-reachable issue that requires user interaction and is expected to cause only limited integrity impact. The safest response is to upgrade to the fixed Concrete CMS version and verify the bulk cache workflow no [truncated]
CVE-2026-8411 is a Cross Site Request Forgery issue in Concrete CMS 9 before 9.5.0, affecting concrete/controllers/dialog/page/bulk/delete. The vulnerability was reported by Yonatan Drori (Tenzai) and scored Low severity by the Concrete CMS security team. Because the attack requires user interaction and the reported impact is limited, this is best handled as a routine patching item rather than an emergency.
CVE-2026-8410 is a low-severity CSRF issue affecting Concrete CMS 9 before 9.5.0. The vulnerable path identified in the record is concrete/controllers/dialog/logs/bulk/delete, which could allow a forged browser request to trigger an administrative bulk log-delete action. The NVD entry assigns CVSS v4.0 2.3 and credits Yonatan Drori (Tenzai) for reporting.
CVE-2026-8409 is a low-severity Cross-Site Request Forgery issue in Concrete CMS 9 before 9.5.0. The vulnerable endpoint is concrete/controllers/dialog/logs/delete, which could let an attacker induce an unwanted log-deletion action through a victim’s browser session.
CVE-2026-8337 affects Concrete CMS 9.5.0 and below when a site is configured with both public and private surveys. In that setup, an unauthenticated attacker may be able to submit a restricted option ID through the public survey endpoint and influence a private survey vote. The CVSS v4.0 score provided by the Concrete CMS security team is 6.3 (Medium), and the issue is primarily an integrity problem rathe [truncated]
CVE-2026-8327 affects Concrete CMS account and session controls. The supplied description says the user-profile edit controller forwards the full POST payload to UserInfo::update() without field whitelisting, which allows a logged-in user to change their password without re-entering the current password and can also disable per-user IP-pinning in the session validator. The result is a weakness in both acc [truncated]
CVE-2026-8245 describes a reflected cross-site scripting issue in Concrete CMS Legacy Pagination affecting version 9.5.0 and below. The issue comes from raw interpolation of a URL value into an HTML href attribute, which can let a crafted link inject script into a user’s session. The source description says the impact is relevant to authenticated admin or report-viewer users who access the legacy reports [truncated]
CVE-2026-8240 affects Concrete CMS 9.5.0 and below. When a page uses a configured summary template, an unauthenticated requester can learn metadata about pages that should remain hidden, including the existence of private, draft, and restricted pages, along with title, path, description, and author information. The published CVSS v4.0 score is 6.3 (Medium), reflecting a confidentiality issue driven by net [truncated]
CVE-2026-8239 is a medium-severity insecure direct object reference in Concrete CMS 9.5.0 and below. The affected endpoint can reveal whether a message exists and return its rating score when accessed by message ID, indicating missing authorization checks on a network-reachable path.
CVE-2026-8238 is an information-disclosure flaw in Concrete CMS 9.5.0 and earlier. An attacker does not need to authenticate to retrieve full conversation message content through the frontend message endpoint, which can expose restricted-page, member-only, and moderation-queue messages as well as attachment download URLs.
CVE-2026-8237 affects Concrete CMS 9.5.0 and below. An unauthenticated attacker can access the /ccm/frontend/conversations/message_detail endpoint to retrieve the full content of conversation messages they should not be able to see. The exposure includes messages from restricted pages, member-only areas, the moderation queue, and file attachment download URLs. The vulnerability was assigned CVSS v4.0 6.3 (Medium).
CVE-2026-8236 describes an unauthenticated access-control flaw in Concrete CMS 9.5.0 and below. The endpoint /ccm/system/dialogs/file/usage/{fID} accepts a file ID in the URL and can return internal site structure details such as page IDs, versions, and URL paths to a GET request without an authentication gate. The issue is scored CVSS v4.0 6.3 (medium) and is primarily an information-disclosure and acces [truncated]
CVE-2026-8139 is a stored XSS issue in Concrete CMS affecting external-link page cvName handling. The advisory says updateCollectionAliasExternal can bypass sanitization, allowing script content to be stored and later rendered in affected contexts.
CVE-2026-7890 is a low-severity server-side request issue in Concrete CMS’s RSS Displayer block. In affected versions, a page editor can provide a feed URL that the application fetches server-side without validation, which can enable redirect-to-internal bypass behavior. The supplied NVD metadata maps the issue to CWE-918 and assigns CVSS v4.0 2.1, reflecting the limited impact and the need for elevated a [truncated]
CVE-2026-7887 affects Concrete CMS 9.5.0 and below. In the OAuth 2.0 authorization-code flow, the handler may bypass account-status enforcement, allowing a user with uIsActive=0 such as a suspended, banned, or terminated account to authenticate and receive valid API tokens. The issue is scored CVSS v4.0 2.3 (LOW) by the Concrete CMS security team, but it still undermines account revocation and access-cont [truncated]
CVE-2026-7886 describes an access-control flaw in Concrete CMS conversations. In affected versions, the AddMessage and UpdateMessage controllers accept user-supplied attachment IDs and load File entities directly, which means a user who can post in a conversation may reference files by sequential ID without a per-file authorization check. The result is an IDOR-style file permission bypass rather than a di [truncated]
CVE-2026-7882 is a low-severity but real authorization-bypass issue in Concrete CMS file deletion handling. The vulnerable DeleteFile controller rejects valid CSRF tokens and continues when the token is missing or invalid, effectively disabling CSRF protection for that endpoint. That means an attacker can potentially induce file deletion through a cross-site request if the victim is an authenticated user [truncated]
CVE-2026-7881 describes an insecure direct object reference (IDOR) in Concrete CMS 9.5.0 and below. The issue is in the Express Entry Detail block and is triggered through the exEntryID parameter, which can expose unauthorized access to Express form submissions. NVD lists the weakness as CWE-639 and assigns a CVSS v4.0 score of 6.3 (Medium).
CVE-2026-7879 describes an authorization bypass in Concrete CMS 9.5.0 and below. The submit_password() method in concrete/controllers/single_page/download_file.php can allow file downloads without properly enforcing view_file permission checks. As described by the vendor/NVD record, this means non-passworded files can be downloaded even when access should be restricted, and password-protected files can be [truncated]
CVE-2026-8428 is a cross-site request forgery issue in Concrete CMS’s core update flow. The update form renders a CSRF token, but the corresponding controller action does not validate it before processing the request. As a result, a cross-site POST can reach the update handler and trigger a core CMS update to an attacker-influenced version string, provided the victim canUpgrade() check passes and a valid [truncated]
CVE-2026-8421 is a high-severity CSRF issue in Concrete CMS 9.5.0 and below. If an authenticated administrator who can install packages is lured to a crafted page, an attacker can force install_package() to install a package already present under DIR_PACKAGES/<handle>/ without CSRF protection. Because package installation runs the package controller's install() method as the web server user, the issue can [truncated]
CVE-2026-8350 is a high-severity authorization flaw in Concrete CMS 9.5.0 and below. The issue is in bulk_user_assignment.php, where an authenticated user with access to the bulk user assignment dashboard can add any user email to any group and remove legitimate admins, enabling privilege escalation to the Administrative Group. The vulnerability was published on 2026-05-21 and is rated CVSS 7.5 (HIGH) by [truncated]
CVE-2026-8205 is a Medium-severity authorization bypass in Concrete CMS Calendar Block handling. According to the CVE and NVD record, action_get_events does not check canView on the calendar, which can disclose restricted event details. The issue was published on 2026-05-21 and is not listed as a known CISA KEV item in the supplied data.
CVE-2026-8203 is a stored cross-site scripting (XSS) vulnerability affecting Concrete CMS 9.5.0 and below. The issue is described as improper validation or sanitization of the $height value in a controller, allowing malicious JavaScript to be stored and later executed in a visitor’s browser. The CVE record rates the issue HIGH with CVSS v4.0 7.3.
CVE-2026-8197 is a stored cross-site scripting issue in Concrete CMS 9.5.0 and earlier. The problem is in the OAuth authorize template, where an admin-controlled integration name is passed through Concrete's translation helper in a way that preserves embedded HTML. In practical terms, a malicious or rogue administrator could inject content that is rendered in the login flow and potentially observe or inte [truncated]
CVE-2026-8140 is a CSRF weakness in Concrete CMS that affects version 9.5.0 and below. According to the supplied description, the /dashboard/extend/install/download/<remoteId> route only checks canInstallPackages() and does not validate a CSRF token before fetching a remote marketplace package and writing it to the server. If an authenticated administrator has the required permission and the site is conne [truncated]
CVE-2026-8135 is a high-severity remote code execution issue published on 2026-05-21. The supplied record says Concrete CMS 9.5.0 and below are affected. The flaw is in the ExpressEntryList block controller, where a protection check intended to block malicious inputs over form POST requests can be bypassed through REST API handling. According to the record, JSON parsing can interpret the string "true" as [truncated]
CVE-2026-6826 is an unauthenticated information-disclosure issue in Concrete CMS 9.5.0 and earlier. A missing permission check in the file usage controller can let a remote visitor query file-usage details for a file ID and receive references to pages that use that file, including page IDs, handles, and full URLs. Because the response can include pages that are otherwise restricted, the issue can expose s [truncated]