Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
AnalysisAI
Cross-Site Request Forgery in Concrete CMS 9 allows a remote unauthenticated attacker to trigger unauthorized bulk cache operations against authenticated CMS users. The vulnerable endpoint is concrete/controllers/dialog/page/bulk/cache, which fails to validate request origin, enabling an attacker to manipulate page cache state by deceiving a logged-in user into loading a crafted page. No public exploit or active exploitation has been identified; the Concrete CMS security team rated this CVSS v4.0 2.3 (Low), reflecting limited integrity impact and the prerequisite of user interaction.
Technical ContextAI
Concrete CMS is a PHP-based content management system. The affected component is the bulk cache dialog controller (concrete/controllers/dialog/page/bulk/cache), which processes bulk cache-clearing or cache-setting operations on CMS pages. The root cause is CWE-352 (Cross-Site Request Forgery): the endpoint does not enforce anti-CSRF token validation, meaning any authenticated browser session can be silently leveraged to submit state-changing requests. The CVSS v4.0 vector AV:N/AC:L/AT:P/PR:N/UI:P reflects that while the network attack surface is broad and complexity is low, exploitation requires an attack prerequisite (AT:P - an active authenticated user session must exist) and passive user interaction (the victim must be induced to load attacker-controlled content). The scope is confined to the vulnerable component (no lateral system impact), and the integrity impact is rated Low (VI:L), consistent with limited cache manipulation rather than full content modification. Affected CPE: cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:*.
RemediationAI
Upgrade Concrete CMS to version 9.5.0 or later per the CVE description fix boundary; however, given that the vendor reference links to the 9.5.1 release notes (https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes), upgrading to 9.5.1 is advisable to ensure all related fixes are included. If an immediate upgrade is not feasible, a compensating control is to restrict access to the /concrete/controllers/dialog/page/bulk/cache endpoint at the web server or reverse proxy layer (e.g., block direct external access to /index.php/ccm/system/dialogs/page/bulk/cache), accepting the trade-off that the bulk cache UI feature will be unavailable to legitimate users. Additionally, enforcing strict SameSite=Strict or SameSite=Lax cookie policies for the CMS session cookie at the web server level will mitigate CSRF broadly but requires testing for compatibility with Concrete CMS's authentication flows.
More in Concrete Cms
View allA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co
Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad
An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31374
GHSA-rv3q-xmfw-mcjv