Skip to main content

Concrete Cms CVE-2026-2994

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-03-04 ff5b8ace-8b95-4078-9743-eac1ca5451de GHSA-6mxw-2vhf-42g5
CSRF Concrete Cms
6.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 22:05 vuln.today
PoC Detected
Mar 04, 2026 - 21:35 vuln.today
Public exploit code
Patch released
Mar 04, 2026 - 21:35 nvd
Patch available
CVE Published
Mar 04, 2026 - 03:16 nvd
MEDIUM 6.8

DescriptionNVD

Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z3rco for reporting

AnalysisAI

Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Configuration that allows authenticated administrators to modify security settings without valid CSRF token validation. An attacker with administrative privileges can exploit this to bypass security controls by manipulating the group_id parameter before token verification occurs. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify anti-CSRF tokens are enforced.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-2994 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy