Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete. The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
AnalysisAI
Cross-Site Request Forgery in Concrete CMS 9.x allows an unauthenticated remote attacker to delete application logs on behalf of an authenticated victim by tricking them into visiting a malicious page. The vulnerable endpoint is concrete/controllers/dialog/logs/bulk/delete, and exploitation results in low-integrity impact - specifically, destruction of audit log data. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS v4.0 score of 2.3 reflects the combination of required user interaction and the presence of attack prerequisites.
Technical ContextAI
Concrete CMS is a PHP-based content management system. The vulnerability resides in the bulk log deletion dialog controller (concrete/controllers/dialog/logs/bulk/delete) and is classified under CWE-352 (Cross-Site Request Forgery). CSRF occurs when a web application processes state-changing requests without verifying that the request originates from the authenticated user's own session, rather than from a forged request issued by a third-party page. The affected CPE is cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:*, covering Concrete CMS version 9 series through 9.5.0 per EUVD data. The CVSS v4.0 vector assigns AT:P (Attack Requirements: Present), reflecting that a prerequisite condition - specifically an authenticated victim session - must exist for the attack to succeed.
RemediationAI
The primary fix is to upgrade Concrete CMS to version 9.5.1, per the vendor release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes. Note that there is a minor discrepancy between the CVE description ('9 before 9.5.0') and EUVD data ('≤9.5.0'); verify the exact fixed version against the linked release notes before concluding 9.5.0 is safe. If immediate upgrade is not possible, the specific compensating control is to restrict access to the /concrete/controllers/dialog/logs/bulk/delete endpoint at the web server or WAF layer - this will prevent the forged request from being processed but will also disable the bulk log deletion UI feature for legitimate administrators. Alternatively, enforce strict Referer/Origin header validation via WAF rules to block cross-origin form submissions to that endpoint. Neither workaround is a substitute for patching.
More in Concrete Cms
View allA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co
Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad
An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31376
GHSA-v7c7-658v-hh7v