Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
AnalysisAI
Cross-Site Request Forgery in Concrete CMS 9.x through 9.5.0 allows a remote unauthenticated attacker to trigger bulk page deletion by tricking an authenticated user into visiting a malicious web page. The vulnerable endpoint is concrete/controllers/dialog/page/bulk/delete, and exploitation results in low-integrity impact against the vulnerable system. No public exploit code has been identified at time of analysis, and the Concrete CMS security team assigned a CVSS v4.0 score of 2.3, reflecting the prerequisite of passive victim interaction and the constrained impact.
Technical ContextAI
Concrete CMS is a PHP-based content management system. CWE-352 (Cross-Site Request Forgery) describes a class of vulnerabilities where a web application does not adequately verify that a state-changing request originated from the legitimate user rather than a third-party site. The affected endpoint - concrete/controllers/dialog/page/bulk/delete - handles bulk deletion of CMS pages and, in versions prior to 9.5.1, fails to enforce anti-CSRF token validation. The CPE identifier cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:* covers all editions of Concrete CMS. The CVSS v4.0 vector AV:N/AC:L/AT:P/PR:N/UI:P reflects a network-reachable attack of low complexity, but requiring attack preconditions (AT:P) and passive victim interaction (UI:P), consistent with the CSRF threat model where a victim must be authenticated and visit attacker-controlled content.
RemediationAI
Upgrade Concrete CMS to version 9.5.1 or later, which contains the fix per the vendor's release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes. The fix version is inferred from the reference URL pointing to the 9.5.1 release notes and the EUVD affected range ending at 9.5.0; an exact changelog entry was not independently verified. As a compensating control prior to patching, administrators can restrict access to the /concrete/controllers/dialog/page/bulk/delete endpoint via web server configuration (e.g., nginx location deny or Apache access controls limited to trusted IP ranges), though this may break bulk-delete UI functionality for legitimate users. Additionally, enforcing short session timeouts reduces the window during which an authenticated admin session can be hijacked for CSRF. Note that neither workaround substitutes for patching, as session-based controls do not eliminate the CSRF weakness.
More in Concrete Cms
View allA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co
Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad
An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31373
GHSA-752x-23hp-jmv6