CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.15)

CVE-2026-8432
High

Concrete CMS version 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) in the concrete/controllers/backend/file star() module.

CVE-2026-8427
High

Concrete CMS version 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) in the removeFavoriteFolder($id) function in the backend controller.

CVE-2026-8416
High

Concrete CMS version 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) in the addFavoriteFolder($id) method in the backend controller.

CVE-2026-8415
High

Concrete CMS version 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) in the association reorder module. This vulnerability has been rated 2.3 by the Concrete CMS security team on the CVSS v.4.0 scale.

CVE-2026-8414
High

Concrete CMS version 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) in the event duplication module.

CVE-2026-8413
High

Concrete CMS version 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) in the concrete/controllers/dialog/page/bulk/design module.

CVE-2026-8412
High

Concrete CMS version 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) in the page cache management module. This vulnerability has been rated 2.3 by the Concrete CMS security team on the CVSS v.4.0 scale.

CVE-2026-8411
High

Concrete CMS version 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) in the page bulk delete controller. This vulnerability has been rated 2.3 by the Concrete CMS security team on the CVSS v.4.0 scale.

CVE-2026-8410
High

Concrete CMS version 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) in the log deletion module. This vulnerability has been rated by the Concrete CMS security team as 2.3 on the CVSS v.4.0 scale.

CVE-2026-8409
High

Concrete CMS version 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) in the log deletion module. This vulnerability has been rated by the Concrete CMS security team with a CVSS v.4.0 score of 2.3.

CVE-2026-8428
High

Concrete CMS version 9.5.0 and below emits a CSRF token in the local_available_update.php view, but the do_update() method in concrete/controllers/single_page/dashboard/system/update/update.php does not validate this token. This allows an attacker to perform a cross-site POST attack that can trigger a CMS update to a version specified by the attacker.

CVE-2026-8426
High

Concrete CMS versions 9.5.0 and below do not validate a CSRF token before processing requests to /dashboard/extend/update/prepare_remote_upgrade/<remoteMPID>. An attacker controlling the remote package for a known marketplace item ID can overwrite the PHP package on disk and force its upgrade() method to execute in a single browser navigation.

CVE-2026-8421
High

Concrete CMS versions 9.5.0 and below contain a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php. An attacker can force the installation of a package without CSRF protection if they can entice an authenticated administrator to visit a crafted page.

CVE-2026-8417
High

Concrete CMS versions 9.5.0 and below do not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/<pkgHandle>. The do_update() method in concrete/controllers/single_page/dashboard/extend/update.php only checks canInstallPackages() before executing upgradeCoreData() and upgrade() on the named package's controller.

CVE-2026-8350
High

Concrete CMS versions 9.5.0 and below are vulnerable to missing authorization in bulk_user_assignment.php, which can lead to privilege escalation to the Administrative Group. Any authenticated user with access to the bulk user assignment dashboard can add any user email to any group and can remove legitimate admins.

CVE-2026-8135
High

Concrete CMS versions 9.5.0 and below are vulnerable to Remote Code Execution due to insecure deserialization in the ExpressEntryList block controller. A rogue administrator can bypass the intended protection mechanism, allowing for the injection of a malicious payload into the database.

CVE-2026-8134
High

Concrete CMS version 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. A rogue administrator with composer form editing rights can exploit this vulnerability to include arbitrary readable files on the server.

CVE-2026-46473
High

Authen::TOTP versions before 0.1.1 for Perl generate secrets using the rand function, which is predictable and unsuitable for security usage.

CVE-2026-48242
High

Open ISES Tickets before version 3.44.2 contains hardcoded MySQL database connection credentials in import_mdb.php. These credentials are embedded in source code committed to a public repository, allowing any reader to obtain configuration values that may match deployed installations.

CVE-2026-48241
High

Open ISES Tickets before version 3.44.2 contains hardcoded MySQL database credentials in loader.php, which is publicly accessible. Any actor with access to the public source tree or an unauthenticated attacker with read access to the file on a deployed installation can read the username, password, and database name.

PreviousPage 256 of 3324Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS