CVE-2026-8204MEDIUMCVSS 5.3

Concrete CMS is vulnerable to authorization bypass in the Calendar Event Frontend Dialog

Published May 21, 2026·Updated Jun 24, 2026

Description

Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data.

Affected Packages (1)

concrete5/concrete5COMPOSER
Fixed in 9.5.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Register your stack and get notified within minutes when a matching CVE drops.

Start monitoring free