PT-2026-42545 · Unknown · Concrete Cms

·

CVE-2026-8205

·

Published

2026-05-21

·

Updated

2026-05-26

CVSS v4.0

6.3

Medium

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Concrete CMS versions 9.5.0 and earlier
Description An authorization bypass exists in the Calendar Block. The function action get events() fails to verify the canView permission on the calendar, which allows the disclosure of restricted event details.
Recommendations Update to a version later than 9.5.0. As a temporary workaround, restrict access to the Calendar Block or the action get events() function until the update is applied.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-8205
GHSA-46XH-7854-F568

Affected Products

Concrete Cms