Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
AnalysisAI
CSRF vulnerability in Concrete CMS 9.x exposes the backend file rescan controller at concrete/controllers/backend/file to unauthorized state-changing requests. Affecting versions 9.0 through 9.4.x (patched in 9.5.1), an unauthenticated remote attacker can trigger unintended file rescan operations against an authenticated victim's session by luring them to a malicious page. Rated CVSS v4.0 at 2.3 - limited to low integrity impact with no confidentiality or availability consequence - and no public exploit identified at time of analysis.
Technical ContextAI
The root cause is CWE-352 (Cross-Site Request Forgery): the file rescan backend endpoint fails to verify that incoming HTTP requests originate from the legitimate authenticated user rather than a forged cross-origin request. Browsers automatically attach session cookies to same-origin and cross-site requests, enabling an attacker-controlled page to silently submit state-changing requests on behalf of a logged-in victim. The affected component is specifically the rescan() method within concrete/controllers/backend/file, a backend administrative controller in the Concrete CMS PHP content management platform. The CPE string cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:* covers all Concrete CMS 9.x releases up to the fix. The CVSS v4.0 Attack Requirements field AT:P (Present) reflects that a prerequisite condition - an authenticated session - must exist for exploitation.
RemediationAI
Upgrade to Concrete CMS 9.5.1 or later, as indicated by the vendor's 9.5.1 release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes. This is a vendor-released patch and represents the primary recommended fix. If an immediate upgrade is not feasible, a compensating control is to restrict access to the /concrete/controllers/backend/file rescan endpoint at the web server or WAF layer, limiting it to trusted IP ranges - note this may impact legitimate administrative file management workflows. Additionally, ensuring that administrative users follow strict session hygiene (logging out after use, avoiding concurrent browsing during admin sessions) reduces the practical exploitation surface for this and other CSRF-class issues. No known workarounds fully substitute for the patch.
More in Concrete Cms
View allA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co
Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad
An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31365
GHSA-6fxm-r8p3-mx5c