Concrete cms
This hub aggregates every CVE we track for Concrete cms, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.
146
CVEs tracked
6
Critical
38
High
0
In CISA KEV
Severity distribution
MEDIUM88HIGH38LOW14CRITICAL6
Monthly trend
0
4
4
0
0
0
0
0
1
1
0
0
0
2
0
0
0
0
0
0
7
0
36
0
2024-072026-06
Latest CVEs
The 15 most recently published vulnerabilities affecting Concrete cms.
- CVE-2026-8340Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion4.3
- CVE-2026-8139Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName5.4
- CVE-2026-8409Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete8.8
- CVE-2026-8410Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete8.8
- CVE-2026-8411Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete8.8
- CVE-2026-8412Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache8.8
- CVE-2026-8413Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design8.8
- CVE-2026-8414Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/duplicate8.8
- CVE-2026-8415Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder8.8
- CVE-2026-8416Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id)8.8
- CVE-2026-8427Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id)8.8
- CVE-2026-8432Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star()8.8
- CVE-2026-8433Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan()8.8
- CVE-2026-8434Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple()8.8
- CVE-2026-7882Concrete CMS 9.5.0 and below is vulnerable to CSRF via the DeleteFile controller4.3
Product normalization is registry-driven with AI assist and human review. How it works