CVE-2026-6826

Name of the Vulnerable Software and Affected Versions Concrete CMS versions 9.5.0 and earlier

Description An issue exists where a missing permission check in the usage controller allows unauthenticated visitors to disclose file usage information. By requesting the endpoint '/ccm/system/dialogs/file/usage/{fID}' using any file ID via the fID variable, an attacker can obtain a list of every page referencing that file, including page IDs, handles, and full URLs. This disclosure includes pages that are otherwise restricted by permissions.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.