GHSA-r7vr-wg3f-8hr9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r7vr-wg3f-8hr9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-r7vr-wg3f-8hr9/GHSA-r7vr-wg3f-8hr9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r7vr-wg3f-8hr9
- Aliases
-
- CVE-2022-50807
- Published
- 2026-01-14T00:31:27Z
- Modified
- 2026-02-03T02:58:55.506001Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- Concrete5 CMS contains an XPath injection vulnerability
- Details
-
Concrete5 CMS version 9.1.3 contains an XPath injection vulnerability that allows attackers to manipulate URL path parameters with malicious payloads. Attackers can flood the system with crafted requests to potentially extract internal content paths and system information.
- Database specific
{ "severity": "MODERATE", "cwe_ids": [ "CWE-643" ], "github_reviewed_at": "2026-01-14T16:53:51Z", "github_reviewed": true, "nvd_published_at": "2026-01-13T23:15:50Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-50807
- https://github.com/concretecms/concretecms
- https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3
- https://www.concretecms.org
- https://www.concretecms.org/download
- https://www.exploit-db.com/exploits/51144
- https://www.vulncheck.com/advisories/concrete-cme-xpath-injection
Affected packages
Packagist / concrete5/concrete5
Package
- Name
- concrete5/concrete5
- Purl
- pkg:composer/concrete5/concrete5