Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creating zip archives. It uses 'ZipArchive::addFromString' combined with 'file_get_contents', which loads the entire content of every selected file into PHP memory. An authenticated attacker can exploit this by requesting a bulk download of large files, triggering an Out-Of-Memory (OOM) condition that causes the PHP-FPM process to terminate (SIGSEGV) and the web server to return a 500 error.
AnalysisAI
ConcreteCMS version 9.4.7 contains a memory exhaustion vulnerability in the File Manager's download functionality that allows authenticated attackers to trigger a Denial of Service condition. The vulnerability exists in the 'download' method of 'concrete/controllers/backend/file.php', where improper memory management during zip archive creation using ZipArchive::addFromString combined with file_get_contents loads entire file contents into PHP memory without streaming or size validation. An attacker with valid authentication credentials can exploit this by requesting bulk downloads of large files, exhausting available PHP memory and causing the PHP-FPM process to crash with a SIGSEGV signal, rendering the web application unavailable with HTTP 500 errors.
Technical ContextAI
The vulnerability exploits a common PHP memory management antipattern in the ZipArchive class implementation. The vulnerable code path uses file_get_contents to load complete file contents into memory before passing them to ZipArchive::addFromString, bypassing the streaming capabilities that ZipArchive provides through addFile and other methods. This is a classic instance of CWE-400 (Uncontrolled Resource Consumption) or CWE-770 (Allocation of Resources Without Limits or Throttling). ConcreteCMS, a PHP-based content management system, is affected in version 9.4.7. The issue manifests because PHP's default memory_limit configuration is fixed, and the vulnerable code loads all requested files simultaneously rather than processing them incrementally, making it trivial for an authenticated user to allocate more memory than the PHP process can handle.
RemediationAI
Upgrade ConcreteCMS to the latest version that includes a patch for this vulnerability (check the ConcreteCMS project repository for version 9.4.8 or later, or the latest stable release). The primary fix involves refactoring the file download handler to use streaming-based approaches such as ZipArchive::addFile instead of loading file contents into memory via file_get_contents, or implementing chunked reading with explicit memory limits per operation. Until a patch can be deployed, implement the following workarounds: restrict File Manager access to trusted administrators only via role-based access control and disable bulk download functionality if possible via configuration or by modifying the controller temporarily. Additionally, configure PHP memory_limit to a reasonable but not excessive value (e.g., 256MB to 512MB) to limit the impact of any single request, and monitor PHP-FPM error logs for SIGSEGV signals as an early warning of exploitation attempts. Consult the official ConcreteCMS security advisory and release notes for the exact patched version and deployment instructions.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14895
GHSA-p68c-rmfh-j48h