CWE-1287
Improper Validation of Specified Type of Input
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
CVE-2026-7887 (GCVE-0-2026-7887)
Vulnerability from cvelistv5 – Published: 2026-05-21 21:20 – Updated: 2026-05-22 13:11
VLAI
Title
For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status
Summary
For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. Thanks 0x4c616e for reporting.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1287 - Improper validation of specified type of input
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://documentation.concretecms.org/9-x/develop… | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Concrete CMS | Concrete CMS |
Affected:
5.0 , ≤ 9.5.0
(git)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7887",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T13:11:07.832365Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T13:11:14.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/concretecms/concretecms",
"defaultStatus": "unaffected",
"product": "Concrete CMS",
"repo": "https://github.com/concretecms/concretecms",
"vendor": "Concrete CMS",
"versions": [
{
"lessThanOrEqual": "9.5.0",
"status": "affected",
"version": "5.0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "0x4c616e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cspan\u003eFor Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A\u003c/span\u003e\u003cspan\u003e\u0026nbsp;user with \u003c/span\u003e\u003ccode\u003euIsActive=0\u003c/code\u003e\u003cspan\u003e (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens.\u0026nbsp;\u003c/span\u003e\u003cspan\u003eThe Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector\u0026nbsp;\u003c/span\u003e\u003cspan\u003eCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. Thanks\u0026nbsp;\u003c/span\u003e\u003cspan\u003e0x4c616e for reporting.\u003c/span\u003e\u003c/div\u003e"
}
],
"value": "For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A\u00a0user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens.\u00a0The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector\u00a0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. Thanks\u00a00x4c616e for reporting."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287 Improper validation of specified type of input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T21:20:13.037Z",
"orgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de",
"shortName": "ConcreteCMS"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
}
],
"source": {
"advisory": "https://hackerone.com/reports/3636728",
"defect": [
"HackerOne"
],
"discovery": "EXTERNAL"
},
"title": "For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de",
"assignerShortName": "ConcreteCMS",
"cveId": "CVE-2026-7887",
"datePublished": "2026-05-21T21:20:13.037Z",
"dateReserved": "2026-05-05T20:22:40.962Z",
"dateUpdated": "2026-05-22T13:11:14.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9521 (GCVE-0-2026-9521)
Vulnerability from cvelistv5 – Published: 2026-05-26 02:00 – Updated: 2026-05-26 12:21 X_Open Source
VLAI
Title
fraillt bitsery std_smart_ptr.h loadFromSharedState improper validation of specified type of input
Summary
A security vulnerability has been detected in fraillt bitsery up to 5.2.4. Affected is the function loadFromSharedState in the library include/bitsery/ext/std_smart_ptr.h. Such manipulation leads to improper validation of specified type of input. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 5.2.5 is able to address this issue. The name of the patch is 66d16516e24893bebc1c8af52bf2fe9ad0735061. Upgrading the affected component is advised.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/365541 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/365541/cti | signaturepermissions-required |
| https://vuldb.com/submit/814457 | third-party-advisory |
| https://gist.github.com/TrebledJ/750abc64a826f19d… | exploit |
| https://github.com/fraillt/bitsery/blob/master/CH… | release-notes |
| https://github.com/fraillt/bitsery/commit/66d1651… | patch |
| https://github.com/fraillt/bitsery/releases/tag/v5.2.5 | patch |
| https://github.com/fraillt/bitsery/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9521",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T12:19:20.320392Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T12:21:05.803Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:fraillt:bitsery:*:*:*:*:*:*:*:*"
],
"product": "bitsery",
"vendor": "fraillt",
"versions": [
{
"status": "affected",
"version": "5.2.0"
},
{
"status": "affected",
"version": "5.2.1"
},
{
"status": "affected",
"version": "5.2.2"
},
{
"status": "affected",
"version": "5.2.3"
},
{
"status": "affected",
"version": "5.2.4"
},
{
"status": "unaffected",
"version": "5.2.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "trebledj (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in fraillt bitsery up to 5.2.4. Affected is the function loadFromSharedState in the library include/bitsery/ext/std_smart_ptr.h. Such manipulation leads to improper validation of specified type of input. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 5.2.5 is able to address this issue. The name of the patch is 66d16516e24893bebc1c8af52bf2fe9ad0735061. Upgrading the affected component is advised."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T02:00:15.197Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-365541 | fraillt bitsery std_smart_ptr.h loadFromSharedState improper validation of specified type of input",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/365541"
},
{
"name": "VDB-365541 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/365541/cti"
},
{
"name": "Submit #814457 | fraillt bitsery 5.2.4 CWE-1287, CWE-843 (Type Confusion)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/814457"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/TrebledJ/750abc64a826f19dd2d6774724629b71"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/fraillt/bitsery/blob/master/CHANGELOG.md#525-2025-10-09"
},
{
"tags": [
"patch"
],
"url": "https://github.com/fraillt/bitsery/commit/66d16516e24893bebc1c8af52bf2fe9ad0735061"
},
{
"tags": [
"patch"
],
"url": "https://github.com/fraillt/bitsery/releases/tag/v5.2.5"
},
{
"tags": [
"product"
],
"url": "https://github.com/fraillt/bitsery/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-05-25T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-25T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-25T21:22:35.000Z",
"value": "VulDB entry last update"
}
],
"title": "fraillt bitsery std_smart_ptr.h loadFromSharedState improper validation of specified type of input"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-9521",
"datePublished": "2026-05-26T02:00:15.197Z",
"dateReserved": "2026-05-25T19:17:31.511Z",
"dateUpdated": "2026-05-26T12:21:05.803Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation ID: MIT-5
Phase: Implementation
Strategy: Input Validation
Description:
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
No CAPEC attack patterns related to this CWE.