CVE-2026-8327

EPSS 0.18%
Veröffentlicht 21.05.2026 21:15:31
Zuletzt bearbeitet 26.05.2026 17:18:10
Quelle ff5b8ace-8b95-4078-9743-eac1ca
CVE-Watchlists
Login
Unerledigt
Login

Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass.

Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update() without field whitelisting resulting in password change without requiring the current password  and also resulting in registered users able to disable the per-user-IP-pinning in the session validator which is meant to detect hijacking.  The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 5.3 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks 0x4c616e for reporting.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 3 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Concretecms ≫ Concrete Cms Version < 9.5.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.079

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
ff5b8ace-8b95-4078-9743-eac1ca5451de	5.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CWE-620 Unverified Password Change

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-8327

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-8327

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-8327

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-8327