CVE-2026-8426
Remote Code Execution in Concrete CMS
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: ConcreteCMS
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| concrete_cms | concrete_cms | to 9.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Concrete CMS version 9.5.0 and below, where the system does not validate a CSRF token before processing requests to a specific URL related to remote package upgrades.
An attacker who controls the remote package returned for a known marketplace item ID can overwrite the package PHP file on disk and force its upgrade() method to execute with a single browser navigation.
This leads to remote code execution with the permissions of the web server user.
To be vulnerable, the victim site must have the ability to install packages, be connected to the Concrete marketplace, and the attacker must control the package returned for an already installed marketplace item ID.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary code remotely on the affected server with the privileges of the web server user.
Such remote code execution can lead to full compromise of the affected system, including unauthorized access, data theft, data modification, or further attacks within the network.