Vulnerability Description
Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unauthenticated attacker can vote in the restricted survey by submitting the restricted optionID through the public survey’s endpoint. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Zer0daySec https://github.com/Zee99y for reporting
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-8337?
CVE-2026-8337 is a documented vulnerability. Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unaut...
How severe is CVE-2026-8337?
CVSS scoring is not yet available for CVE-2026-8337. Check NVD for updates.
Is there a patch for CVE-2026-8337?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.