Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with a vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N.
AnalysisAI
Server-side request forgery in Concrete CMS 9.5.0 and earlier allows authenticated high-privileged page editors to direct the application server to fetch attacker-controlled URLs via the RSS Displayer block, with redirect-following behavior bypassing input validation to reach internal network resources. The CVSS v4.0 score of 2.1 (PR:H, AT:P) reflects that exploitation is constrained to users already holding page editor privileges and requires the RSS Displayer block to be in active use. No public exploit has been identified and this vulnerability is not listed in CISA KEV, placing it in a low real-world priority tier absent insider-threat or post-compromise scenarios.
Technical ContextAI
CWE-918 (Server-Side Request Forgery) describes vulnerabilities where an application fetches a remote resource based on user-supplied input without adequately validating the destination. In Concrete CMS, the RSS Displayer block is designed to allow page editors to specify an external RSS feed URL, which the CMS server then fetches server-side to render content. The flaw lies in the absence of redirect validation: an attacker can supply a URL hosted on an attacker-controlled server that immediately issues an HTTP 301/302 redirect to an internal address (e.g., RFC-1918 ranges, cloud instance metadata endpoints such as 169.254.169.254, or internal APIs). Because the server follows redirects without confirming the resolved destination is permitted, the internal fetch occurs outside the intended validation scope. The CVSS 4.0 vector component AT:P (Attack Requirements: Present) confirms a prerequisite condition - specifically, the RSS Displayer block must be deployed and accessible to the page editor. Exact CPE strings were not provided in the available intelligence data; affected scope is described in the vendor advisory as version 9.5.0 and below in the 9.x branch.
RemediationAI
The primary remediation is to upgrade to Concrete CMS 9.5.1, which is documented as addressing this SSRF in the vendor's release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes. Note that the fix version 9.5.1 is inferred from the NVD reference pointing to those release notes and has not been independently verified beyond that source. If immediate upgrade is not feasible, administrators should remove or disable the RSS Displayer block from all page templates and editor toolkits, which eliminates the vulnerable surface entirely at the cost of RSS feed display functionality. As a secondary compensating control, configuring egress firewall rules on the CMS application server to block outbound HTTP/HTTPS connections to RFC-1918 private address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata addresses (169.254.169.254) will limit the blast radius of any SSRF exploitation, though this does not remediate the vulnerability and may interfere with legitimate internal integrations. Finally, auditing and tightening the assignment of the high-privilege page editor role reduces the pool of accounts capable of triggering the vulnerability.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31379
GHSA-gjwq-9v8p-47w7