IDOR Vulnerability in Concrete CMS Product by Concrete5
CVE-2026-8337

6.3MEDIUM

Key Information:

Vendor: Concrete Cms
Status: Concrete Cms
Vendor: CVE Published:; 21 May 2026

🔔 Create Concrete Cms Vulnerability Alert

What is CVE-2026-8337?

Concrete CMS versions 9.5.0 and earlier contain a vulnerability that allows unauthenticated attackers to exploit insecure direct object references (IDOR) in survey functionalities. A malicious user can manipulate the public survey's endpoint to submit votes for private surveys, bypassing restrictions that are intended to safeguard sensitive data. This vulnerability can expose sensitive data within private surveys, posing a significant risk for sites that host both public and private surveys.

Affected Version(s)

Concrete CMS 5.0 <= 9.5.0

References

https://documentation.concretecms.org/9-x/developers/intr...

release-notes

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 21, 2026
Vulnerability Reserved
May 11, 2026

Credit

Zer0daySec (GitHub: https://github.com/Zee99y)

CVE-2026-8337 Data

JSON