What is the CVSS score of CVE-2026-3452?

CVE-2026-3452 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.5%.

Which versions of PHP are affected by CVE-2026-3452?

Concrete CMS installations below version 9.4.8 are vulnerable to remote code execution through a stored PHP injection flaw in the Express Entry List block, allowing attackers to execute arbitrary…. A patch is available.

PHP CVE-2026-3452

HIGH

Deserialization of Untrusted Data (CWE-502)

2026-03-04 ff5b8ace-8b95-4078-9743-eac1ca5451de

GHSA-gj26-w59c-29mf

PHP RCE Deserialization Concrete Cms

7.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:05 vuln.today

Patch released

Mar 04, 2026 - 21:36 nvd

Patch available

CVE Published

Mar 04, 2026 - 02:15 nvd

HIGH 7.2

DescriptionNVD

Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks YJK ( @YJK0805 https://hackerone.com/yjk0805 ) of ZUSO ART https://zuso.ai/ for reporting.

AnalysisAI

Remote code execution in Concrete CMS prior to version 9.4.8 stems from unsafe deserialization of PHP objects in the Express Entry List block configuration. An authenticated administrator can inject malicious serialized data through the columns parameter that executes arbitrary code when unserialized without validation. …

RemediationAI

Within 24 hours: Identify all Concrete CMS instances and their versions; assess which systems use Express Entry List blocks. Within 7 days: Apply vendor patch to upgrade all instances to version 9.4.8 or later; verify patches are successfully deployed. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-3452 vulnerability details – vuln.today

Back

PHP CVE-2026-3452

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code