Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
AnalysisAI
Cross-Site Request Forgery in Concrete CMS 9.x exposes the bulk page design dialog endpoint (concrete/controllers/dialog/page/bulk/design) to forged requests, allowing a network-accessible attacker to manipulate page design settings on behalf of an authenticated user who visits a malicious link. The Concrete CMS security team assigned a CVSS v4.0 score of 2.3 (Low), reflecting that exploitation requires specific attack prerequisites (AT:P) and user interaction (UI:P), with impact limited to low-severity integrity modifications on the vulnerable system. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Technical ContextAI
CWE-352 (Cross-Site Request Forgery) describes a class of vulnerabilities where a web application fails to verify that state-changing requests originate from the legitimate user rather than a forged third-party source. In Concrete CMS (CPE: cpe:2.3:a:concrete_cms:concrete_cms), the specific endpoint at concrete/controllers/dialog/page/bulk/design - a dialog controller handling bulk design operations across multiple CMS pages - does not enforce CSRF token validation. CVSS v4.0 vector AT:P (Attack Requirements: Present) indicates that exploitation is conditional on specific prerequisites beyond mere network access, most plausibly that the victim must hold an active authenticated session in the CMS. The CVSS v4.0 framework's UI:P (User Interaction: Passive) confirms the victim must take a minimal action, such as loading a crafted page, for the attack to succeed.
RemediationAI
Upgrade Concrete CMS to version 9.5.1, which is indicated as the patched release per the vendor advisory at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes. If an immediate upgrade is not feasible, restrict access to the /concrete/controllers/dialog/page/bulk/design endpoint via web server ACLs or firewall rules to trusted internal IP ranges only - this limits the attack surface by preventing unauthenticated external actors from delivering the forged request, though it does not address the underlying CSRF flaw and may disrupt legitimate bulk design operations for remote editors. Additionally, ensuring users follow best practices of logging out of the CMS when not actively working reduces the window of opportunity for CSRF exploitation.
More in Concrete Cms
View allA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co
Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad
An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31375
GHSA-mpq2-mv8p-9wm6