CVE-2026-8135
Analyzed Analyzed - Analysis Complete
Remote Code Execution in Concrete CMS via Insecure Deserialization

Publication date: 2026-05-21

Last updated on: 2026-05-26

Assigner: ConcreteCMS

Description
Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with privileges to add blocks to an area can bypass the intended protection mechanism (_fromCIF === true), which normally restricts malicious inputs over form POST requests, by leveraging the REST API functionality. Because the REST API parses requests using json_decode(), the string "true" is evaluated as a strict PHP Boolean(true).  This bypass allows the attacker to inject a malicious serialized payload  into the block's filterFields database column. The payload will subsequently be executed when the block's data is viewed or edited by an administrator leading to complete server takeover (RCE).The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with a vector of CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H.  Thanks Nguyễn Văn Thiện https://github.com/Thien225409  for reporting
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-26
Generated
2026-06-11
AI Q&A
2026-05-22
EPSS Evaluated
2026-06-10
NVD
CVE-2026-8135
EUVD
EUVD-2026-31336
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
concretecms concrete_cms to 9.5.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Concrete CMS versions 9.5.0 and below have a Remote Code Execution (RCE) vulnerability caused by insecure deserialization in the ExpressEntryList block controller.

A rogue administrator who has privileges to add blocks to an area can bypass the protection mechanism that normally restricts malicious inputs over form POST requests by using the REST API functionality.

The REST API parses requests using json_decode(), which evaluates the string "true" as a strict PHP Boolean(true). This allows the attacker to inject a malicious serialized payload into the block's filterFields database column.

When the block's data is viewed or edited by an administrator, the malicious payload is executed, leading to complete server takeover.

Impact Analysis

This vulnerability can lead to complete server takeover through Remote Code Execution.

An attacker with rogue administrator privileges can inject malicious code that executes when block data is accessed, potentially compromising the entire server and all data and services hosted on it.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8135. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart