CVE-2026-8347— Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in Express association Reorder dialog
Possible ATT&CK Techniques 3AI
T1059 · Command and Scripting Interpreter T1098 · Account Manipulation T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Concrete CMS | Concrete CMS | 5.0≤ 9.5.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-8347
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in Express association Reorder dialog
Source: NVD (National Vulnerability Database)
Vulnerability Description
Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity ordering. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过用户控制密钥绕过授权机制
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Concrete CMS | Concrete CMS | 5.0 ~ 9.5.0 | - |
II. Public POCs for CVE-2026-8347
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-8347
请登录查看更多情报信息。
Vendor Pages for CVE-2026-8347 (1)
- 9.5.1 Release Notes :: Concrete CMSrelease-notes
Same Patch Batch · Concrete CMS · 2026-05-22 · 3 CVEs total
| CVE-2026-8340 | Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion | |
| CVE-2026-8353 | Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in atomik them |
IV. Related Vulnerabilities
Same product: Concrete CMS
- CVE-2026-8353
Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XS - CVE-2026-8340
Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backe - CVE-2026-8139
Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via - CVE-2026-7890
Concrete CMS 9.5.0 is vulnerable to SSRF via RSS Displayer B - CVE-2026-8409
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Requ
Same vendor: Concrete CMS
- CVE-2026-8353
Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XS - CVE-2026-8340
Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backe - CVE-2026-8139
Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via - CVE-2026-7890
Concrete CMS 9.5.0 is vulnerable to SSRF via RSS Displayer B - CVE-2026-8409
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Requ
Same weakness: CWE-639
- CVE-2026-9306
QuantumNous new-api Midjourney Image Relay Endpoint relay-ro - CVE-2026-35430
Azure Privileged Identity Management (PIM) Elevation of Priv - CVE-2026-39967
TypeBot: Cross-Typebot Result Data Access via Missing typebo - CVE-2026-28444
Typebot: IDOR in Result Logs Endpoint Allows Cross-Workspace - CVE-2026-9248
Devolutions Server越权漏洞影响2025及2026版本
V. Comments for CVE-2026-8347
No comments yet