CVE-2026-8421
CSRF to RCE in Concrete CMS
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: ConcreteCMS
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| concrete_cms | concrete_cms | to 9.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Concrete CMS version 9.5.0 and below, specifically in the install_package() method of the install.php controller. It is a Cross-Site Request Forgery (CSRF) vulnerability that allows an attacker to force the installation of a package without any CSRF protection.
For the attack to succeed, an authenticated administrator must visit a crafted page controlled by the attacker, and the attacker must have placed or caused a package to be present under the DIR_PACKAGES directory. The package installation executes the package controller's install() method as the web server user.
This can lead to remote code execution on the server. The victim must have the permission to install packages (canInstallPackages) for the vulnerability to be exploitable.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote code execution on the server hosting Concrete CMS.
An attacker can exploit this by tricking an authenticated administrator into visiting a malicious page, which then forces the installation of a malicious package.
This can lead to full compromise of the web server, data breaches, defacement, or further attacks within the network.