CVE-2026-8239 MEDIUM

CVE-2026-8239: Concrete CMS 9.5.0 and below is vulnerable to IDOR in '/ccm/frontend/conversations/get_rating'

Vendor Concrete Cms
Product Concrete CMS
Weakness CWE-862 · Missing authorization
Published May 21, 2026
Last update May 22, 2026
View on NVD All CVEs

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/get_rating' endpoint confirms existence and returns rating score for any message by ID. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting.

Key dates

02Disclosure timeline

May 21, 2026 CVE published
May 22, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-24560 WordPress Cloudinary plugin <= 3.3.2 - Broken Access Control vulnerability CVE-2024-54354 WordPress Termin-Kalender plugin <= 0.99.47 - Broken Access Control vulnerability CVE-2025-5701 HyperComments <= 1.2.2 - Unauthenticated (Subscriber+) Arbitrary Options Update CVE-2024-32725 WordPress 5 Stars Rating Funnel plugin 1.2.67 - Broken Access Control vulnerability CVE-2026-26977 Frappe Learning Management System exposes details of unpublished courses to unauthorized users