Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/{fID} with any file ID and receive a list of every page that references that file, including page IDs, handles, and full URLs. This includes pages that are otherwise restricted by permissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.9 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting.
AnalysisAI
Unauthenticated file usage disclosure in Concrete CMS 9.5.0 and below exposes internal page structure to any network-accessible visitor without credentials. The usage controller endpoint /ccm/system/dialogs/file/usage/{fID} lacks a permission check, returning page IDs, URL handles, and full URLs for every page referencing a given file - including pages explicitly restricted by CMS access controls. No public exploit identified at time of analysis, but the CVSS:4.0 AV:N/AC:L/AT:N/PR:N/UI:N vector confirms trivial, unauthenticated network exploitation with no complexity barrier.
Technical ContextAI
Concrete CMS is a PHP-based content management system with a file management subsystem that tracks which pages reference uploaded assets. The usage controller provides this mapping to administrators via the dialog endpoint /ccm/system/dialogs/file/usage/{fID}, where {fID} is a numeric file identifier. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) identifies the root cause: the controller returns sensitive relational data - page handles, IDs, and full URLs - without verifying whether the requesting party holds any session, role, or permission. Concrete CMS file IDs are typically sequential integers, making enumeration straightforward. The disclosure includes pages that CMS permission rules otherwise hide from unauthenticated users, breaking the site's content access control model at the metadata level.
RemediationAI
Upgrade to Concrete CMS 9.5.1, which addresses this missing permission check per the vendor release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes. If immediate patching is not feasible, restrict unauthenticated access to the path /ccm/system/dialogs/file/usage/ at the web server (nginx location block or Apache <Location>) or WAF layer - note this will break the legitimate admin file-usage dialog in the CMS backend, so the restriction should be removed promptly after patching. No other workarounds that preserve full admin functionality have been identified from available data.
More in Concrete Cms
View allA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co
Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad
An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31344
GHSA-4g7q-44qp-cc5c