What is GHSA-4g7q-44qp-cc5c?

GHSA-4g7q-44qp-cc5c is a security advisory published by GitHub Security Advisories with Medium severity. Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing...

Which CVE IDs does GHSA-4g7q-44qp-cc5c cover?

GHSA-4g7q-44qp-cc5c covers the following CVE IDs: CVE-2026-6826. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

GHSA-4g7q-44qp-cc5cMedium

Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing...

Vendor

GitHub Security Advisories

Published

May 21, 2026

Last Modified

May 21, 2026

🔗 CVE IDs covered (1)

CVE-2026-6826 →

📋 Description

Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/{fID} with any file ID and receive a list of every page that references that file, including page IDs, handles, and full URLs. This includes pages that are otherwise restricted by permissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.9 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting.

🔗 References (3)

https://nvd.nist.gov/vuln/detail/CVE-2026-6826
https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes
https://github.com/advisories/GHSA-4g7q-44qp-cc5c