Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
AnalysisAI
Cross-Site Request Forgery in Concrete CMS 9.x (versions prior to 9.5.0) allows a remote attacker to trigger the removeFavoriteFolder action on behalf of an authenticated CMS user by tricking them into visiting a malicious page. The affected endpoint is concrete/controllers/backend/file and the impact is limited to low-integrity modification - removal of a favorite folder. No public exploit has been identified and this vulnerability is not confirmed as actively exploited (CISA KEV). The CVSS 4.0 score of 2.3 accurately reflects the constrained, low-impact nature of the flaw.
Technical ContextAI
Concrete CMS is a PHP-based content management system. The vulnerable code path is the removeFavoriteFolder($id) function within the backend file controller (concrete/controllers/backend/file), which handles CMS users' saved folder shortcuts. CWE-352 (Cross-Site Request Forgery) indicates the endpoint does not implement or validate an anti-CSRF token, meaning any authenticated browser session can be coerced into issuing the state-changing request from a third-party origin. The CPE cpe:2.3:a:concrete_cms:concrete_cms:* scopes this to the Concrete CMS application directly. The CVSS 4.0 vector element AT:P (Attack Requirements: Present) indicates a specific operational precondition - an authenticated user session - must exist at the time of exploitation, distinguishing this from a fully unauthenticated attack surface.
RemediationAI
Upgrade to Concrete CMS 9.5.0 or later. The vendor reference points to the 9.5.1 release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes, creating minor ambiguity about whether 9.5.0 or 9.5.1 is the definitive fix version - upgrading to the latest available 9.x release is the safest course. As a temporary compensating control if immediate upgrade is not possible, restrict access to the /concrete/controllers/backend/file endpoint via WAF rules or web server access controls (e.g., nginx location blocks or Apache mod_rewrite) to trusted IP ranges only - note this will break legitimate backend file management for remote administrators. Implementing a SameSite=Strict or SameSite=Lax cookie policy at the application or reverse-proxy layer would also mitigate CSRF attacks more broadly, though this may affect cross-origin integrations.
More in Concrete Cms
View allA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co
Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad
An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31368
GHSA-67hj-8239-cmf5