CVE-2026-2994
Received Received - Intake

CSRF Vulnerability in Concrete CMS Anti-Spam Allowlist Configuration

Vulnerability report for CVE-2026-2994, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-04

Last updated on: 2026-03-04

Assigner: ConcreteCMS

Description

Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z3rco for reporting

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-04
Last Modified
2026-03-04
Generated
2026-07-06
AI Q&A
2026-03-04
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
concretecms concrete_cms to 9.4.8 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

I don't know

Executive Summary

This vulnerability affects Concrete CMS versions below 9.4.8 and involves a Cross-Site Request Forgery (CSRF) issue. A Rogue Administrator can exploit the Anti-Spam Allowlist Group Configuration by manipulating the group_id parameter. The problem arises because changes are saved before the system verifies the CSRF token, allowing unauthorized actions to bypass security checks.

Impact Analysis

The vulnerability can lead to a security bypass where unauthorized changes are made to the Anti-Spam Allowlist Group Configuration without proper verification. This could allow a malicious administrator to alter settings or configurations that should be protected, potentially undermining the security of the CMS environment.

Compliance Impact

I don't know

Detection Guidance

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2994. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart