CVE-2026-8350HIGH 8.8EPSS p21.5%

CVE-2026-8350CVE-2026-8350

Description

Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove legitimate admins. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Vincent55 for reporting.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.30% probability of exploitation · percentile 21.5% · 2026-06-19T12:03:05Z
Published2026-05-21
Last modified2026-05-26

Underlying weaknesses· 1

CWE-863

References

  1. https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes

1

TypeTargetConfidenceTier
WeaknessIncorrect Authorizationcwe-8630%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-8426
CVE
CVE-2026-8421
CVE
CVE-2026-8417
CVE
CVE-2026-8413
CVE
CVE-2026-8411
CVE
CVE-2026-8412
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.