CVE-2026-8434
Cross-Site Request Forgery in Concrete CMS
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: ConcreteCMS
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| concrete_cms | concrete_cms | to 9.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1275 | The SameSite attribute for sensitive cookies is not set, or an insecure value is used. |
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Concrete CMS versions before 9.5.0 and is a Cross Site Request Forgery (CSRF) issue located at the concrete/controllers/backend/file rescanMultiple() function.
CSRF vulnerabilities allow an attacker to trick a user into performing actions on a web application in which they are authenticated, without their consent.
How can this vulnerability impact me? :
The impact of this vulnerability is relatively low, as indicated by its CVSS v4.0 base score of 2.3.
An attacker could potentially cause a user to unintentionally trigger the rescanMultiple() function, which may lead to unintended file rescanning operations within Concrete CMS.
However, the vulnerability requires user interaction (UI:P) and does not grant elevated privileges (PR:N), limiting its potential impact.