Skip to main content

Concrete CMS CVE-2026-7890

| EUVDEUVD-2026-31379 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-21 ff5b8ace-8b95-4078-9743-eac1ca5451de GHSA-gjwq-9v8p-47w7
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 22:36 vuln.today

DescriptionCVE.org

In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses.  The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with a vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N.

AnalysisAI

Server-side request forgery in Concrete CMS 9.5.0 and earlier allows authenticated high-privileged page editors to direct the application server to fetch attacker-controlled URLs via the RSS Displayer block, with redirect-following behavior bypassing input validation to reach internal network resources. The CVSS v4.0 score of 2.1 (PR:H, AT:P) reflects that exploitation is constrained to users already holding page editor privileges and requires the RSS Displayer block to be in active use. No public exploit has been identified and this vulnerability is not listed in CISA KEV, placing it in a low real-world priority tier absent insider-threat or post-compromise scenarios.

Technical ContextAI

CWE-918 (Server-Side Request Forgery) describes vulnerabilities where an application fetches a remote resource based on user-supplied input without adequately validating the destination. In Concrete CMS, the RSS Displayer block is designed to allow page editors to specify an external RSS feed URL, which the CMS server then fetches server-side to render content. The flaw lies in the absence of redirect validation: an attacker can supply a URL hosted on an attacker-controlled server that immediately issues an HTTP 301/302 redirect to an internal address (e.g., RFC-1918 ranges, cloud instance metadata endpoints such as 169.254.169.254, or internal APIs). Because the server follows redirects without confirming the resolved destination is permitted, the internal fetch occurs outside the intended validation scope. The CVSS 4.0 vector component AT:P (Attack Requirements: Present) confirms a prerequisite condition - specifically, the RSS Displayer block must be deployed and accessible to the page editor. Exact CPE strings were not provided in the available intelligence data; affected scope is described in the vendor advisory as version 9.5.0 and below in the 9.x branch.

RemediationAI

The primary remediation is to upgrade to Concrete CMS 9.5.1, which is documented as addressing this SSRF in the vendor's release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes. Note that the fix version 9.5.1 is inferred from the NVD reference pointing to those release notes and has not been independently verified beyond that source. If immediate upgrade is not feasible, administrators should remove or disable the RSS Displayer block from all page templates and editor toolkits, which eliminates the vulnerable surface entirely at the cost of RSS feed display functionality. As a secondary compensating control, configuring egress firewall rules on the CMS application server to block outbound HTTP/HTTPS connections to RFC-1918 private address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata addresses (169.254.169.254) will limit the blast radius of any SSRF exploitation, though this does not remediate the vulnerability and may interfere with legitimate internal integrations. Finally, auditing and tightening the assignment of the high-privilege page editor role reduces the pool of accounts capable of triggering the vulnerability.

Share

CVE-2026-7890 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy