CVE-2022-50807
CRITICAL9.8Concrete5 CMS contains an XPath injection vulnerability
Published: 1/14/2026Modified: 2/3/2026
Also known as:GHSA-r7vr-wg3f-8hr9
Description
Concrete5 CMS version 9.1.3 contains an XPath injection vulnerability that allows attackers to manipulate URL path parameters with malicious payloads. Attackers can flood the system with crafted requests to potentially extract internal content paths and system information.
Affected packages (1)
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-50807
- PATCHhttps://github.com/concretecms/concretecms
- WEBhttps://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3
- WEBhttps://www.concretecms.org
- WEBhttps://www.concretecms.org/download
- WEBhttps://www.exploit-db.com/exploits/51144
- WEBhttps://www.vulncheck.com/advisories/concrete-cme-xpath-injection