CVE-2026-8433
Cross-Site Request Forgery in Concrete CMS
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: ConcreteCMS
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| concrete_cms | concrete_cms | to 9.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1275 | The SameSite attribute for sensitive cookies is not set, or an insecure value is used. |
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Concrete CMS versions before 9.5.0 and is a Cross Site Request Forgery (CSRF) issue located at the concrete/controllers/backend/file rescan() function.
CSRF vulnerabilities allow an attacker to trick a user into performing actions on a web application in which they are authenticated, without their consent.
How can this vulnerability impact me? :
The impact of this vulnerability is relatively low, as indicated by its CVSS v4.0 base score of 2.3.
An attacker could potentially cause a user to trigger the file rescan action without their intention, which might lead to unintended operations within the Concrete CMS backend.