Skip to main content

Concrete CMS CVE-2026-8427

| EUVDEUVD-2026-31368 LOW
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-21 ConcreteCMS GHSA-67hj-8239-cmf5
2.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 22:38 vuln.today

DescriptionCVE.org

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

AnalysisAI

Cross-Site Request Forgery in Concrete CMS 9.x (versions prior to 9.5.0) allows a remote attacker to trigger the removeFavoriteFolder action on behalf of an authenticated CMS user by tricking them into visiting a malicious page. The affected endpoint is concrete/controllers/backend/file and the impact is limited to low-integrity modification - removal of a favorite folder. No public exploit has been identified and this vulnerability is not confirmed as actively exploited (CISA KEV). The CVSS 4.0 score of 2.3 accurately reflects the constrained, low-impact nature of the flaw.

Technical ContextAI

Concrete CMS is a PHP-based content management system. The vulnerable code path is the removeFavoriteFolder($id) function within the backend file controller (concrete/controllers/backend/file), which handles CMS users' saved folder shortcuts. CWE-352 (Cross-Site Request Forgery) indicates the endpoint does not implement or validate an anti-CSRF token, meaning any authenticated browser session can be coerced into issuing the state-changing request from a third-party origin. The CPE cpe:2.3:a:concrete_cms:concrete_cms:* scopes this to the Concrete CMS application directly. The CVSS 4.0 vector element AT:P (Attack Requirements: Present) indicates a specific operational precondition - an authenticated user session - must exist at the time of exploitation, distinguishing this from a fully unauthenticated attack surface.

RemediationAI

Upgrade to Concrete CMS 9.5.0 or later. The vendor reference points to the 9.5.1 release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes, creating minor ambiguity about whether 9.5.0 or 9.5.1 is the definitive fix version - upgrading to the latest available 9.x release is the safest course. As a temporary compensating control if immediate upgrade is not possible, restrict access to the /concrete/controllers/backend/file endpoint via WAF rules or web server access controls (e.g., nginx location blocks or Apache mod_rewrite) to trusted IP ranges only - note this will break legitimate backend file management for remote administrators. Implementing a SameSite=Strict or SameSite=Lax cookie policy at the application or reverse-proxy layer would also mitigate CSRF attacks more broadly, though this may affect cross-origin integrations.

CVE-2021-22968 HIGH POC
7.2 Nov 19

A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co

CVE-2021-36766 HIGH POC
7.2 Jul 30

Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl

CVE-2020-24986 HIGH POC
7.2 Sep 04

Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File

CVE-2020-11476 HIGH POC
7.2 Jul 28

Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity

CVE-2018-13790 HIGH POC
7.2 Jul 09

A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-2994 MEDIUM POC
6.8 Mar 04

Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co

CVE-2017-8082 MEDIUM POC
6.5 Apr 24

concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in

CVE-2023-48648 CRITICAL
9.8 Nov 17

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec

CVE-2022-21829 CRITICAL
9.8 Jun 24

Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho

CVE-2021-22958 CRITICAL
9.8 Oct 07

A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad

CVE-2021-40098 CRITICAL
9.8 Sep 27

An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel

Share

CVE-2026-8427 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy