GHSA-chfm-cm6h-q5x7Medium

Concrete CMS is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block

Published
May 22, 2026
Last Modified
June 24, 2026

🔗 CVE IDs covered (1)

📋 Description

Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express form submissions. The Concrete CMS security team thanks Tristan Madani for reporting this issue.

🎯 Affected products1

  • composer/concrete5/concrete5:< 9.5.1

🔗 References (3)