CVE-2026-2994
Received Received - Intake
CSRF Vulnerability in Concrete CMS Anti-Spam Allowlist Configuration

Publication date: 2026-03-04

Last updated on: 2026-03-04

Assigner: ConcreteCMS

Description
Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z3rco for reporting
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-04
Last Modified
2026-03-04
Generated
2026-06-16
AI Q&A
2026-03-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2994
EUVD
EUVD-2026-9357
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
concretecms concrete_cms to 9.4.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

I don't know

Executive Summary

This vulnerability affects Concrete CMS versions below 9.4.8 and involves a Cross-Site Request Forgery (CSRF) issue. A Rogue Administrator can exploit the Anti-Spam Allowlist Group Configuration by manipulating the group_id parameter. The problem arises because changes are saved before the system verifies the CSRF token, allowing unauthorized actions to bypass security checks.

Impact Analysis

The vulnerability can lead to a security bypass where unauthorized changes are made to the Anti-Spam Allowlist Group Configuration without proper verification. This could allow a malicious administrator to alter settings or configurations that should be protected, potentially undermining the security of the CMS environment.

Compliance Impact

I don't know

Detection Guidance

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2994. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart