Primary

Context

Concrete CMS Calendar Block Authorization Bypass Vulnerability

Vulnerability

Patched

An authorization bypass vulnerability has been identified in the Calendar Block of Concrete CMS versions through 9.5.0. The issue arises because the 'action_get_events' function does not properly check the 'canView' permission on calendars. This oversight allows restricted event details to be disclosed.

Impact

Exploitation of this vulnerability leads to unauthorized disclosure of event details from private calendars.

Added: May 21, 2026, 9:25 PM

Updated: May 21, 2026, 9:25 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

6.8

remediation

7.7

relevance

9.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

6.8

remediation

7.7

relevance

9.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Concrete CMS Calendar Block Authorization Bypass Vulnerability

Vulnerability

Impact

Affected Products

Concrete CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating