Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being disclosed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks lalalala5678 for reporting.
AnalysisAI
Unauthorized disclosure of restricted calendar event details in Concrete CMS 9.5.0 and below stems from a missing authorization check in the Calendar Block's action_get_events handler, which never invokes canView on the target calendar before returning event data. Unauthenticated remote attackers who can reach the endpoint can retrieve event information that site administrators have explicitly restricted, provided a Calendar Block with access-controlled events is deployed. No public exploit code exists and the vulnerability is absent from the CISA KEV catalog; however, the network-accessible, zero-authentication nature of the endpoint lowers the bar for casual enumeration of restricted scheduling data.
Technical ContextAI
Concrete CMS is a PHP-based content management system. The affected component is the Calendar Block controller's action_get_events method, an AJAX-callable action that populates calendar views with event data. CWE-425 (Direct Request / Forced Browsing) identifies the root cause: the action endpoint is directly reachable over HTTP without the CMS authorization layer being consulted - specifically, the canView permission check on the calendar object is never called before event data is serialized and returned. This is a controller-level authorization omission, not a cryptographic or injection flaw. The CVSS 4.0 vector component AT:P (Attack Requirements: Present) signals that a specific deployment prerequisite must be met before exploitation is meaningful, namely that at least one calendar within a Calendar Block must have event-level visibility restrictions configured.
RemediationAI
Upgrade to Concrete CMS 9.5.1, the release documented at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes, which is the implied fix version based on the vendor's reference. The patched release version has not been independently verified against a source code diff - confirm the canView authorization check is present in action_get_events before relying solely on the version number. If an immediate upgrade is not possible and Calendar Blocks with restricted event visibility are in active use, disable or remove Calendar Blocks from pages accessible to unauthenticated visitors as a compensating control; note this will break calendar functionality for those pages. Alternatively, configure all calendar events as publicly visible to eliminate the sensitivity of any disclosed data, accepting that access controls on event details will be non-functional until patching is complete. Web server-level blocking of requests matching the Calendar Block action_get_events parameter pattern is a third option but risks false positives that break legitimate authenticated use.
More in Concrete Cms
View allA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co
Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad
An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same weakness CWE-425 – Direct Request ('Forced Browsing')
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31351
GHSA-46xh-7854-f568