CVE-2026-8135
Remote Code Execution in Concrete CMS via Insecure Deserialization
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: ConcreteCMS
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| concrete5 | concrete_cms | to 9.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Concrete CMS versions 9.5.0 and below have a Remote Code Execution (RCE) vulnerability caused by insecure deserialization in the ExpressEntryList block controller.
A rogue administrator who has privileges to add blocks to an area can bypass the protection mechanism that normally restricts malicious inputs over form POST requests by using the REST API functionality.
The REST API parses requests using json_decode(), which evaluates the string "true" as a strict PHP Boolean(true). This allows the attacker to inject a malicious serialized payload into the block's filterFields database column.
When the block's data is viewed or edited by an administrator, the malicious payload is executed, leading to complete server takeover.
How can this vulnerability impact me? :
This vulnerability can lead to complete server takeover through Remote Code Execution.
An attacker with rogue administrator privileges can inject malicious code that executes when block data is accessed, potentially compromising the entire server and all data and services hosted on it.