Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express form submissions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting.
AnalysisAI
Unauthorized access to all Express form submissions is possible in Concrete CMS 9.5.0 and below through an Insecure Direct Object Reference (IDOR) in the Express Entry Detail block, exploitable by unauthenticated remote attackers who manipulate the exEntryID parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N) confirms network-accessible, unauthenticated exploitation, though the AT:P metric indicates a specific deployment precondition - the Express Entry Detail block must be in active use. No public exploit or CISA KEV listing has been identified at time of analysis; a vendor-released patch is available in the 9.5.1 release.
Technical ContextAI
CWE-639 (Authorization Through User-Controlled Key) describes the root cause: the application uses a client-supplied identifier - exEntryID - as the sole authorization key to retrieve an Express Entry record, without verifying that the requesting party has permission to access that specific record. Concrete CMS's Express system is a built-in form and data management framework; the Express Entry Detail block renders individual form submission records on front-end pages. Because the exEntryID value is directly user-controllable and is not validated against session ownership or ACL rules, an attacker can enumerate or directly reference arbitrary submission IDs to read form data they are not entitled to. The affected CPE is cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:* covering the version range from 5.0 up to and including 9.5.0.
RemediationAI
Upgrade to Concrete CMS 9.5.1, which addresses this vulnerability per the vendor release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes. If an immediate upgrade is not possible, a targeted compensating control is to remove or unpublish any pages containing the Express Entry Detail block from public access, which directly eliminates the exposed attack surface by preventing unauthenticated requests from reaching the vulnerable exEntryID parameter. Alternatively, restricting access to those pages via IP allowlist or requiring authentication at the web server or CMS permission level would limit exposure, though this may conflict with intended public-facing functionality. Note that restricting the block rather than patching leaves the underlying authorization flaw in place and should be treated as temporary only.
More in Concrete Cms
View allA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co
Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad
An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31355
GHSA-chfm-cm6h-q5x7