Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
AnalysisAI
Cross-Site Request Forgery in Concrete CMS 9.x allows a remote unauthenticated attacker to forge state-changing requests against the file manager's addFavoriteFolder endpoint on behalf of an authenticated victim. Exploitation results in low-integrity impact - specifically unauthorized modification of a victim's favorite folder state - without any confidentiality or availability consequences. No public exploit has been identified at time of analysis, and the low CVSS v4.0 score of 2.3 reflects the passive user interaction requirement and constrained impact scope.
Technical ContextAI
Concrete CMS is an open-source PHP content management system. The vulnerable endpoint is concrete/controllers/backend/file at the addFavoriteFolder($id) method, which handles file-manager favorite-folder bookmarking. CWE-352 (Cross-Site Request Forgery) indicates the server fails to validate that a state-changing POST/GET request originated from the legitimate application interface rather than a third-party origin. The CVSS v4.0 vector includes AT:P (Attack Requirements: Present), indicating a non-default precondition exists - in CSRF context this typically means the victim must be actively authenticated to the CMS. The CPE cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:* covers all platform/architecture variants of Concrete CMS up to the fixed version.
RemediationAI
Upgrade Concrete CMS to version 9.5.0 or later per the CVE description, with version 9.5.1 referenced in the vendor release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes - given the discrepancy between EUVD (≤9.5.0 affected) and CVE description (<9.5.0 affected), administrators should target 9.5.1 as the safest confirmed state. If an immediate upgrade is not feasible, a compensating control is to restrict access to the /concrete/controllers/backend/file endpoint at the web server or reverse proxy layer (e.g., block the addFavoriteFolder route for unauthenticated origins), though this may disable the favorite folder feature for all users. A WAF rule enforcing CSRF token validation or same-origin request checking on this endpoint path can also reduce risk with minimal functional trade-off. These compensating controls are temporary mitigations and do not substitute for patching.
More in Concrete Cms
View allA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co
Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad
An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31372
GHSA-qj94-6rx6-27fr