PT-2026-42564 · Unknown · Concrete Cms

0X4C616E

Published

2026-05-21

Updated

2026-05-22

CVE-2026-8327

CVSS v4.0

5.3

Medium

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.0

Description The user-profile edit controller passes the entire raw POST array to the UserInfo::update() function without field whitelisting. This allows registered users to change passwords without providing the current password for reauthorization. Additionally, this flaw enables users to disable per-user-IP-pinning in the session validator, a security feature designed to detect session hijacking.

Recommendations Update to version 9.5.0 or later.

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-915CWE-269CWE-620

Related Identifiers

CVE-2026-8327

Affected Products

Concrete Cms

PT-2026-42564 · Unknown · Concrete Cms

CVE-2026-8327

Weakness Enumeration

Related Identifiers

Affected Products

References · 5