What is GHSA-8c7c-h7px-267g?

GHSA-8c7c-h7px-267g is a security advisory published by GitHub Security Advisories with Medium severity. Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would...

Which CVE IDs does GHSA-8c7c-h7px-267g cover?

GHSA-8c7c-h7px-267g covers the following CVE IDs: CVE-2026-8337. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

GHSA-8c7c-h7px-267gMedium

Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would...

Vendor

GitHub Security Advisories

Published

May 22, 2026

Last Modified

May 22, 2026

🔗 CVE IDs covered (1)

CVE-2026-8337 →

📋 Description

Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unauthenticated attacker can vote in the restricted survey by submitting the restricted optionID through the public survey’s endpoint. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Zer0daySec https://github.com/Zee99y for reporting

🔗 References (3)

https://nvd.nist.gov/vuln/detail/CVE-2026-8337
https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes
https://github.com/advisories/GHSA-8c7c-h7px-267g