Skip to main content

Concrete CMS CVE-2026-7888

| EUVD-2026-34164 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-03 ConcreteCMS GHSA-52pr-7vmf-2w7x
PHP Deserialization
8.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 03, 2026 - 21:20 vuln.today
Patch available
Jun 03, 2026 - 20:01 EUVD
CVSS changed
Jun 03, 2026 - 19:22 NVD
8.4 (HIGH)
CVE Published
Jun 03, 2026 - 18:10 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 and Sanjorn Keeratirungsan (dizconnect) for both independently reporting. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.4 with vector CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N.

AnalysisAI

PHP object injection in Concrete CMS versions below 9.5.2 allows authenticated high-privileged attackers to trigger arbitrary PHP object instantiation through unsafe unserialize() calls in the Workflow, Form block, and File/Set components. The vulnerability requires a malicious serialized payload to be placed in the database beforehand, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain privileged CMS account or chained injection
Delivery
Write malicious serialized payload to Workflow/Form/File-Set DB row
Exploit
Trigger component that loads the row
Execution
Unrestricted unserialize() instantiates attacker class
Persist
POP gadget chain executes during magic methods
Impact
Arbitrary PHP code runs in web server context
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) the attacker to have a means of writing a crafted serialized payload into the Concrete CMS database - typically high-privilege editorial/admin access (PR:H in the vector) or a chained injection vulnerability - and (2) the vulnerable site to use the Workflow component, Form block, or File/Set component that subsequently deserializes that database value. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H paints a mixed picture: local attack vector and high privileges required substantially limit reach, but full confidentiality, integrity, and availability impact on the vulnerable component justify the 8.4 score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker first uses a separate primitive - for example a compromised editor account or a stored injection bug - to write a crafted serialized PHP object string into a Workflow, Form block, or File/Set database row. When the application subsequently retrieves and deserializes that row via the unrestricted unserialize() call, PHP instantiates the attacker-chosen class and fires its magic methods, executing a POP gadget chain that yields arbitrary code execution in the web server context. …
Remediation Vendor-released patch: upgrade to Concrete CMS 9.5.2 or later, which adds the allowed_classes restriction to the affected unserialize() call sites; release notes are at https://documentation.concretecms.org/9-x/developers/introduction/version-history/952-release-notes. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all Concrete CMS deployments and identify versions below 9.5.2; restrict administrative access to workflow, form block, and file/set management to essential personnel only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-7888 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy