Primary

Context

Concrete CMS Unauthenticated File Usage Disclosure Vulnerability

Vulnerability

Patched

A vulnerability exists in Concrete CMS versions through 9.5.0, allowing unauthenticated users to access file usage information without proper permission checks. By sending a request to the usage controller with a specific file ID, an attacker can obtain a list of all pages referencing that file, including sensitive details such as page IDs, handles, and full URLs. This issue also exposes information from pages that are normally restricted by permissions.

Impact

Exploitation of this vulnerability leads to unauthorized disclosure of file usage information, including references from permission-restricted pages.

Remediation

Users can upgrade to Concrete CMS version 9.5.1 or later to address this vulnerability.

Added: May 21, 2026, 9:32 PM

Updated: May 21, 2026, 9:32 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

8.3

remediation

7.7

relevance

9.0

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

8.3

remediation

7.7

relevance

9.0

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Concrete CMS Unauthenticated File Usage Disclosure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Concrete CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating