CVE-2026-8413
Cross-Site Request Forgery in Concrete CMS
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: ConcreteCMS
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| concrete_cms | concrete_cms | to 9.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1275 | The SameSite attribute for sensitive cookies is not set, or an insecure value is used. |
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross Site Request Forgery (CSRF) issue found in Concrete CMS versions before 9.5.0. It occurs specifically at the path concrete/controllers/dialog/page/bulk/design. CSRF vulnerabilities allow an attacker to trick a user into performing actions on a web application in which they are authenticated, without their consent.
How can this vulnerability impact me? :
The impact of this vulnerability is relatively low, as indicated by the CVSS score of 2.3. It requires user interaction (UI:P) and allows an attacker to perform limited actions (VI:L) without privileges (PR:N). An attacker could potentially cause a user to unknowingly perform certain design-related bulk page actions within Concrete CMS, which might lead to minor disruptions or unauthorized changes.