Description
Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure across every page with a configured summary template, revealing the existence of private, draft, and restricted pages while leaking title, path, description, and author information. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
Published: 2026-05-21
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS versions 9.5.0 and older allow an attacker who can view any website page to read sensitive metadata from every page that uses the Backend\\SummaryTemplate. The flaw reveals titles, URLs, descriptions, and author names for private, draft, and restricted pages, exposing information that could aid further attacks. This weakness, classified as CWE‑284, grants information disclosure without authentication and does not directly alter data integrity or availability.

Affected Systems

The affected product is Concrete CMS 9.5.0 and all earlier releases. Any site running these versions and employing the default summary template engine is susceptible. Upgrading to newer releases that have removed the vulnerable code path eliminates the issue.

Risk and Exploitability

The CVSS v4.0 score of 6.3 indicates a moderate severity, driven by the lack of authentication and the potential to expose sensitive editorial information. The EPSS score is not available, so the current predictable exploitation likelihood is uncertain. The vulnerability is not listed in the CISA KEV catalog, suggesting no documented widespread exploitation. Attackers can exploit the flaw remotely by simply requesting any page URL, making the attack vector intuitive and accessible.

Generated by OpenCVE AI on May 21, 2026 at 22:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to the latest stable release, which removes the vulnerable summary template functionality.
  • If an immediate upgrade is not possible, disable or restrict access to all Backend\\SummaryTemplate pages and configurations until a patch can be applied.
  • Continue monitoring the Concrete CMS security advisories for any new patches or additional guidance.

Generated by OpenCVE AI on May 21, 2026 at 22:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure across every page with a configured summary template, revealing the existence of private, draft, and restricted pages while leaking title, path, description, and author information. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
Title Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure in Backend\SummaryTemplate
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-22T13:14:22.026Z

Reserved: 2026-05-09T16:15:58.816Z

Link: CVE-2026-8240

cve-icon Vulnrichment

Updated: 2026-05-22T13:14:18.461Z

cve-icon NVD

Status : Received

Published: 2026-05-21T22:16:50.123

Modified: 2026-05-21T22:16:50.123

Link: CVE-2026-8240

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T00:00:12Z

Weaknesses