CVE-2026-7879 in Concreteالمعلومات

الملخص

بحسب MITRE • 22/05/2026

In Concrete CMS 9.5.0 and below,  the submit_password() method in concrete/controllers/single_page/download_file.php allows unauthorized file access since downloading permission-restricted files bypasses the view_file permission check. Files without passwords can be downloaded and any user who knows a file's password can download a password protected file regardless of whether they have permission to access the file. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N.  Thanks Youssef Eid for reporting

If you want to get best quality of vulnerability data, you may have to visit VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

مسؤول

ConcreteCMS

حجز

05/05/2026

إفشاء

22/05/2026

الاعتدال

تمت الموافقة

إدخال

VDB-365093

EPSS

0.00030

KEV

لا

النشاطات

منخفض جدًا

القطاع

Hostingprovider, Lawfirm, ...

المصادر

MITREhttps://www.cve.org/CVERecord?id=CVE-2026-7879
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-7879
CVE Detailshttps://www.cvedetails.com/cve/CVE-2026-7879/

التالي نظرة عامة السابق

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!