CVE Security

high 8.8

28/05/2026

Vulnérabilité high détectée - CVE-2026-8409

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete.  The The Concrete CMS secu...

Web

CVE-2026-8409

Lire l'article

medium 4.3

28/05/2026

Vulnérabilité medium détectée - CVE-2026-7882

Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code ...

Web

CVE-2026-7882

Lire l'article

medium 5.4

28/05/2026

Vulnérabilité medium détectée - CVE-2026-8139

Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized....

Web

CVE-2026-8139

Lire l'article

unknown

28/05/2026

Vulnérabilité unknown détectée - CVE-2026-4093

In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline. Vector A (token display template...

Web

CVE-2026-4093

Lire l'article

unknown

28/05/2026

Vulnérabilité unknown détectée - CVE-2026-4929

Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affec...

Web

CVE-2026-4929

Lire l'article

critical 9.8

28/05/2026

Vulnérabilité critical détectée - CVE-2026-6960

The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_su...

Web

CVE-2026-6960

Lire l'article

medium 5.3

28/05/2026

Vulnérabilité medium détectée - CVE-2026-7879

In Concrete CMS 9.5.0 and below,  the submit_password() method in concrete/controllers/single_page/download_file.php allows unauthorized file access ...

Web

CVE-2026-7879

Lire l'article

high 8.8

28/05/2026

Vulnérabilité high détectée - CVE-2026-8417

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/<pkgHandle>. The do_updat...

Web

CVE-2026-8417

Lire l'article

high 8.8

28/05/2026

Vulnérabilité high détectée - CVE-2026-8421

Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/instal...

Web

CVE-2026-8421

Lire l'article

high 8.8

28/05/2026

Vulnérabilité high détectée - CVE-2026-8426

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepare_remote_upgrade/<remoteMPID>...

Web

CVE-2026-8426

Lire l'article

high 8.8

28/05/2026

Vulnérabilité high détectée - CVE-2026-8428

Concrete CMS 9.5.0 and below emits a CSRF token in the local_available_update.php view ($token->output('do_update')) but the corresponding do_update()...

Web

CVE-2026-8428

Lire l'article

high 8.8

28/05/2026

Vulnérabilité high détectée - CVE-2026-8350

Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Adminis...

Web

CVE-2026-8350

Lire l'article