Skip to main content

Concrete CMS CVE-2026-7882

| EUVDEUVD-2026-31361 LOW
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-21 ConcreteCMS GHSA-66rg-92q4-6m8q
2.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 22:34 vuln.today

DescriptionCVE.org

Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and proceeds with file deletion when the token is invalid or missing. This effectively disables CSRF protection for the file deletion endpoint, allowing cross-site request forgery attacks against users who have permission to edit conversation messages. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with a vector of CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Mandani for reporting.

AnalysisAI

Unauthorized file deletion is possible in Concrete CMS 9.5.0 and below due to an inverted CSRF token validation logic in the DeleteFile controller, where the protection mechanism operates in reverse - rejecting legitimate requests and approving forged ones. A remote unauthenticated attacker (PR:N per CVSS v4.0) can craft a cross-site request forgery attack that deletes files on behalf of any victim authenticated with conversation message editing privileges. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV; the vendor-assigned CVSS v4.0 score of 2.3 reflects the constrained real-world impact given the required victim privilege level and mandatory user interaction.

Technical ContextAI

The root cause is CWE-352 (Cross-Site Request Forgery), but the mechanism is notably unusual: rather than a missing CSRF check, this is an inverted check - the DeleteFile controller logic throws an error when a valid CSRF token is present and proceeds with the destructive file deletion operation when the token is absent or invalid. This effectively transforms the security control into its own bypass. The affected component is tied to Concrete CMS's conversation message editing feature and its associated file management functionality. CPE cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:* covers all Concrete CMS versions through 9.5.0 per EUVD-2026-31361. The CVSS v4.0 vector element AT:P (Attack Requirements: Present) confirms the exploitation depends on specific runtime conditions beyond default network reachability.

RemediationAI

The primary remediation is to upgrade to Concrete CMS 9.5.1, as indicated by the vendor release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes, which are expected to correct the inverted CSRF token validation in the DeleteFile controller. The fix version of 9.5.1 is inferred from the release notes URL and has not been independently verified from advisory content. If immediate patching is not feasible, administrators should restrict which user roles hold conversation message editing and file deletion permissions, reducing the pool of potential victims; this has no functional impact for users who do not require this capability. A WAF rule blocking unauthenticated or cross-origin POST requests to the DeleteFile endpoint could reduce exposure but may interfere with legitimate content management workflows. Enforcing strict SameSite=Strict cookie attributes on the session cookie at the web server or reverse proxy level would also mitigate CSRF attacks broadly, though this may break cross-origin integrations if any exist.

CVE-2021-22968 HIGH POC
7.2 Nov 19

A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co

CVE-2021-36766 HIGH POC
7.2 Jul 30

Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl

CVE-2020-24986 HIGH POC
7.2 Sep 04

Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File

CVE-2020-11476 HIGH POC
7.2 Jul 28

Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity

CVE-2018-13790 HIGH POC
7.2 Jul 09

A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-2994 MEDIUM POC
6.8 Mar 04

Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co

CVE-2017-8082 MEDIUM POC
6.5 Apr 24

concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in

CVE-2023-48648 CRITICAL
9.8 Nov 17

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec

CVE-2022-21829 CRITICAL
9.8 Jun 24

Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho

CVE-2021-22958 CRITICAL
9.8 Oct 07

A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad

CVE-2021-40098 CRITICAL
9.8 Sep 27

An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel

Share

CVE-2026-7882 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy