{“lastseen”:””,”description”:”Concrete CMS 9.5.0 and below is subject to\u00a0Insecure Direct Object Reference\u00a0(IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express form submissions.\u00a0The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector\u00a0CVSS:4.0\/AV:N\/AC:L\/AT:P\/PR:N\/UI:N\/VC:L\/VI:N\/VA:N\/SC:N\/SI:N\/SA:N. Thanks\u00a0Tristan Madani for reporting.”,”published”:”2026-05-21T21:09:18.551Z”,”modified”:”2026-05-21T21:09:18.551Z”,”type”:”cve”,”title”:”Concrete CMS 9.5.0 and below is vulnerable to IDOR in the Express Entry Detail block”,”source”:”ConcreteCMS”,”references”:”https:\/\/documentation.concretecms.org\/9-x\/developers\/introduction\/version-history\/951-release-notes”,”id”:”CVE-2026-7881″,”bulletinFamily”:””,”cwe”:[“CWE-639″],”cvelist”:null,”sourceData”:”Concrete CMS Concrete CMS 5.0″,”sourceHref”:””,”cvss”:{“score”:6.3,”severity”:”MEDIUM”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:P\/PR:N\/UI:N\/VC:L\/VI:N\/VA:N\/SC:N\/SI:N\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Concrete CMS”,”version”:”5.0″,”vendor”:”Concrete CMS”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”Concrete CMS 9.5.0 and below is subject to\u00a0Insecure Direct Object Reference\u00a0(IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,23,12,21,13,7,11,5],"class_list":["post-56176","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-63","tag-exploit","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n