GHSA-4g7q-44qp-cc5cMedium

Concrete CMS is vulnerable to unauthenticated file usage disclosure

Published
May 21, 2026
Last Modified
June 23, 2026

🔗 CVE IDs covered (1)

📋 Description

Concrete CMS 9.5.0 and below  is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller.  Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/{fID} with any file ID and receive a list of every page that references that file, including page IDs, handles, and full URLs. This includes pages that are otherwise restricted by permissions. Concrete CMS thanks Eldudareeno for reporting this issue.

🎯 Affected products1

  • composer/concrete5/concrete5:< 9.5.1

🔗 References (3)