CVE-2026-8427
Analyzed
Analyzed - Analysis Complete
Cross-Site Request Forgery in Concrete CMS
Publication date: 2026-05-21
Last updated on: 2026-05-26
Assigner: ConcreteCMS
Description
Description
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vectorΒ CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. ThanksΒ Yonatan Drori (Tenzai) for reporting.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| concretecms | concrete_cms | From 9.0.0 (inc) to 9.5.1 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-1275 | The SameSite attribute for sensitive cookies is not set, or an insecure value is used. |
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
