CVE-2026-3452
Remote Code Execution via PHP Object Injection in Concrete CMS
Publication date: 2026-03-04
Last updated on: 2026-03-04
Assigner: ConcreteCMS
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| concretecms | concrete_cms | to 9.4.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Concrete CMS versions below 9.4.8 have a vulnerability that allows Remote Code Execution through stored PHP object injection. This occurs in the Express Entry List block via the columns parameter. An authenticated administrator can inject attacker-controlled serialized data into block configuration fields. These fields are later passed to the PHP unserialize() function without any class restrictions or integrity checks, enabling the execution of malicious code.
How can this vulnerability impact me? :
This vulnerability can lead to Remote Code Execution on the affected system, which means an attacker with administrator access can execute arbitrary code. This can compromise the entire system, potentially allowing the attacker to take full control, access sensitive data, modify or delete information, and disrupt services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know