Skip to main content

Concrete CMS CVE-2026-8412

| EUVDEUVD-2026-31374 LOW
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-21 ConcreteCMS GHSA-rv3q-xmfw-mcjv
2.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 22:36 vuln.today

DescriptionCVE.org

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

AnalysisAI

Cross-Site Request Forgery in Concrete CMS 9 allows a remote unauthenticated attacker to trigger unauthorized bulk cache operations against authenticated CMS users. The vulnerable endpoint is concrete/controllers/dialog/page/bulk/cache, which fails to validate request origin, enabling an attacker to manipulate page cache state by deceiving a logged-in user into loading a crafted page. No public exploit or active exploitation has been identified; the Concrete CMS security team rated this CVSS v4.0 2.3 (Low), reflecting limited integrity impact and the prerequisite of user interaction.

Technical ContextAI

Concrete CMS is a PHP-based content management system. The affected component is the bulk cache dialog controller (concrete/controllers/dialog/page/bulk/cache), which processes bulk cache-clearing or cache-setting operations on CMS pages. The root cause is CWE-352 (Cross-Site Request Forgery): the endpoint does not enforce anti-CSRF token validation, meaning any authenticated browser session can be silently leveraged to submit state-changing requests. The CVSS v4.0 vector AV:N/AC:L/AT:P/PR:N/UI:P reflects that while the network attack surface is broad and complexity is low, exploitation requires an attack prerequisite (AT:P - an active authenticated user session must exist) and passive user interaction (the victim must be induced to load attacker-controlled content). The scope is confined to the vulnerable component (no lateral system impact), and the integrity impact is rated Low (VI:L), consistent with limited cache manipulation rather than full content modification. Affected CPE: cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade Concrete CMS to version 9.5.0 or later per the CVE description fix boundary; however, given that the vendor reference links to the 9.5.1 release notes (https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes), upgrading to 9.5.1 is advisable to ensure all related fixes are included. If an immediate upgrade is not feasible, a compensating control is to restrict access to the /concrete/controllers/dialog/page/bulk/cache endpoint at the web server or reverse proxy layer (e.g., block direct external access to /index.php/ccm/system/dialogs/page/bulk/cache), accepting the trade-off that the bulk cache UI feature will be unavailable to legitimate users. Additionally, enforcing strict SameSite=Strict or SameSite=Lax cookie policies for the CMS session cookie at the web server level will mitigate CSRF broadly but requires testing for compatibility with Concrete CMS's authentication flows.

CVE-2021-22968 HIGH POC
7.2 Nov 19

A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co

CVE-2021-36766 HIGH POC
7.2 Jul 30

Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl

CVE-2020-24986 HIGH POC
7.2 Sep 04

Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File

CVE-2020-11476 HIGH POC
7.2 Jul 28

Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity

CVE-2018-13790 HIGH POC
7.2 Jul 09

A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-2994 MEDIUM POC
6.8 Mar 04

Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co

CVE-2017-8082 MEDIUM POC
6.5 Apr 24

concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in

CVE-2023-48648 CRITICAL
9.8 Nov 17

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec

CVE-2022-21829 CRITICAL
9.8 Jun 24

Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho

CVE-2021-22958 CRITICAL
9.8 Oct 07

A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad

CVE-2021-40098 CRITICAL
9.8 Sep 27

An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel

Share

CVE-2026-8412 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy