CVE-2026-7881

Name of the Vulnerable Software and Affected Versions Concrete CMS versions 9.5.0 and earlier

Description An Insecure Direct Object Reference (IDOR), which occurs when an application provides direct access to objects based on user-supplied input, exists in the Express Entry Detail block. By manipulating the exEntryID parameter, unauthorized users can gain access to all Express form submissions.

Recommendations Update Concrete CMS to a version later than 9.5.0. As a temporary workaround, restrict access to the Express Entry Detail block or avoid using the exEntryID parameter until the update is applied.