Description
Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express form submissions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting.
Published: 2026-05-21
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS versions 9.5.0 and below have an insecure direct object reference vulnerability in the Express Entry Detail block; the exEntryID parameter can be manipulated to access any Express form submission. The flaw gives attackers the ability to read sensitive user‑supplied data, compromising confidentiality, but does not alter application logic or provide execution capabilities. The CVSS v4 score of 6.3 indicates moderate severity.

Affected Systems

Concrete CMS 9.5.0 and earlier versions are affected. No further granularity on patch levels is provided in the advisory.

Risk and Exploitability

The vulnerability is reachable through the web interface, using the exEntryID query string. Attackers can exploit it remotely, given that the parameter is publicly exposed. The EPSS score is not available, so the current exploitation probability is unknown. The issue is not listed in the CISA KEV catalog. The moderate CVSS score and lack of exploitable proof suggest a realistic but not imminent risk if exposed to the public web.

Generated by OpenCVE AI on May 21, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to a version newer than 9.5.0
  • If a patch is not immediately available, restrict or disable the Express Entry Detail block for unauthenticated users through configuration or firewall rules
  • Implement role‑based access control to validate the exEntryID parameter before returning data

Generated by OpenCVE AI on May 21, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express form submissions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting.
Title Concrete CMS 9.5.0 and below is vulnerable to IDOR in the Express Entry Detail block
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T21:09:18.551Z

Reserved: 2026-05-05T18:27:52.291Z

Link: CVE-2026-7881

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T22:16:48.900

Modified: 2026-05-21T22:16:48.900

Link: CVE-2026-7881

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T22:30:20Z

Weaknesses