Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure across every page with a configured summary template, revealing the existence of private, draft, and restricted pages while leaking title, path, description, and author information. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
AnalysisAI
Unauthenticated page metadata disclosure in Concrete CMS 9.5.0 and below exposes private, draft, and restricted page details - including title, URL path, description, and author - to any remote attacker on sites with summary templates configured. The flaw stems from improper access control (CWE-284) where the summary template rendering pipeline bypasses page visibility restrictions entirely, making sensitive page structure visible without any credential. No active exploitation (CISA KEV) and no public exploit code have been identified at time of analysis; the CVSS v4.0 score of 6.3 with AT:P reflects that exploitation depends on a non-universal template configuration being present.
Technical ContextAI
Concrete CMS is a PHP-based content management system with a templating layer that renders page summaries for navigation, search, and listing features. The vulnerability is rooted in CWE-284 (Improper Access Control): when a page is assigned a summary template, the template rendering pathway exposes metadata without evaluating whether the requesting principal has read permission on the underlying page. This affects all page types - draft, private, and access-restricted - that have a summary template configured, meaning the confidentiality guardrails applied at the page level do not propagate to the template-rendered metadata output. CPE cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:* covers the full affected range from version 5.0 through 9.5.0 per EUVD-2026-31358.
RemediationAI
Upgrade to Concrete CMS 9.5.1, which is confirmed as the remediated release per the vendor's own release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes. This is the primary and recommended fix. If immediate patching is not feasible, the specific compensating control is to audit all pages that have a summary template assigned and remove or replace summary templates from pages whose metadata must remain confidential - specifically private pages, drafts, and access-restricted content. This eliminates the disclosure pathway for those pages but will suppress summary rendering in navigation and listing blocks where those templates were in use, which may visually impact site functionality. No generic network-layer mitigation (WAF rules, IP restrictions) can reliably block this without understanding which page URLs are summary-template-enabled, making the template audit the most targeted and precise interim control.
More in Concrete Cms
View allA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co
Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad
An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31358
GHSA-vpgr-cwfx-pwfw