Description
Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure across every page with a configured summary template, revealing the existence of private, draft, and restricted pages while leaking title, path, description, and author information. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
Published: 2026-05-21
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS versions 9.5.0 and earlier allow an attacker who can view any website page to read sensitive metadata from every page that uses the Backend\\SummaryTemplate. The flaw reveals titles, URLs, descriptions, and author names for private, draft, and restricted pages, exposing information that could aid further attacks while it is inferred that data integrity and availability remain unaffected.

Affected Systems

The affected product is Concrete CMS 9.5.0 and all earlier releases. Any site running these versions and employing a default or custom summary template configuration is susceptible. Upgrading to newer releases that have removed the vulnerable code path eliminates the issue.

Risk and Exploitability

The CVSS v4.0 score of 6.3 indicates moderate severity, driven by the lack of authentication and the potential to expose sensitive editorial information. The EPSS score of <1% indicates an extremely low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no documented widespread exploitation. Attackers can exploit the flaw remotely by simply requesting any page URL, making the attack vector intuitive and accessible.

Generated by OpenCVE AI on May 26, 2026 at 20:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to the latest stable release, which removes the vulnerable summary template functionality.
  • If an immediate upgrade is not possible, disable or restrict access to all Backend\\SummaryTemplate pages and configurations until a patch can be applied.
  • Continue monitoring the Concrete CMS security advisories for any new patches or additional guidance.

Generated by OpenCVE AI on May 26, 2026 at 20:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Fri, 22 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure across every page with a configured summary template, revealing the existence of private, draft, and restricted pages while leaking title, path, description, and author information. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
Title Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure in Backend\SummaryTemplate
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-22T13:14:22.026Z

Reserved: 2026-05-09T16:15:58.816Z

Link: CVE-2026-8240

cve-icon Vulnrichment

Updated: 2026-05-22T13:14:18.461Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-21T22:16:50.123

Modified: 2026-05-26T17:24:12.150

Link: CVE-2026-8240

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T20:15:15Z

Weaknesses