QSearchQSearch

CVE-2026-8337

5.3 MEDIUM

Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys

Published: 2026-05-21 · Last updated: 2026-05-26

Severity and scoring

CVSS
5.3 MEDIUM
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE
CWE-565, CWE-639

Affected products

VendorProduct
concretecmsconcrete_cms

Description

Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unauthenticated attacker can vote in the restricted survey by submitting the restricted optionID through the public survey’s endpoint. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks  Zer0daySec https://github.com/Zee99y  for reporting

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-8340 Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion (4.3 MEDIUM)
  • CVE-2026-8434 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple() (8.8 HIGH)
  • CVE-2026-8433 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan() (8.8 HIGH)
  • CVE-2026-8432 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star() (8.8 HIGH)
  • CVE-2026-8427 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder(... (8.8 HIGH)

Same CWE

  • CVE-2026-44692 Sharp is a content management framework built for Laravel as a package (7.7 HIGH)
  • CVE-2026-46558 Plane is an open-source project management tool (8.3 HIGH)
  • CVE-2026-53471 A flaw was found in migration-planner (9.6 CRITICAL)
  • CVE-2026-53470 A flaw was found in migration-planner (9.6 CRITICAL)
  • CVE-2026-45563 Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers (4.3 MEDIUM)