EUVD-2026-35994
GHSA-g82f-9pw7-773w
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionNVD
Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 for reporting.
AnalysisAI
PHP Object Injection in Concrete CMS versions below 9.5.2 allows arbitrary PHP object instantiation through unsafe unserialize() calls in the Permission, Cache, and Search components. The flaw is triggered when a malicious serialized payload has already been written to the database, meaning the unauthenticated trigger depends on a prior write primitive existing in the deployment. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a malicious PHP serialized payload first be written into a database row consumed by the Permission, Cache, or Search components of Concrete CMS prior to 9.5.2; the CVSS 4.0 vector states AV:L/PR:H, meaning local access with high privileges, while the description adds that the actual unserialize() trigger itself does not require authentication once the poisoned row exists. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals conflict and must be reconciled carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker first leverages a separate write primitive - a SQL injection, a compromised admin account, or a misconfigured integration - to plant a crafted PHP serialized POP gadget chain into a Permission, Cache, or Search table row. On the next request that causes Concrete CMS to read and unserialize() that row, PHP instantiates the attacker-controlled objects and triggers magic methods, yielding code execution or file write in the web server context. … |
| Remediation | Vendor-released patch: upgrade Concrete CMS to version 9.5.2 or later, which removes the unsafe unserialize() usage in the Permission, Cache, and Search components, per the release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/952-release-notes. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Concrete CMS deployments and document current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Share
External POC / Exploit Code
Leaving vuln.today