Skip to main content

Concrete CMS CVE-2026-8433

| EUVDEUVD-2026-31365 LOW
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-21 ConcreteCMS GHSA-6fxm-r8p3-mx5c
2.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 22:38 vuln.today

DescriptionCVE.org

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

AnalysisAI

CSRF vulnerability in Concrete CMS 9.x exposes the backend file rescan controller at concrete/controllers/backend/file to unauthorized state-changing requests. Affecting versions 9.0 through 9.4.x (patched in 9.5.1), an unauthenticated remote attacker can trigger unintended file rescan operations against an authenticated victim's session by luring them to a malicious page. Rated CVSS v4.0 at 2.3 - limited to low integrity impact with no confidentiality or availability consequence - and no public exploit identified at time of analysis.

Technical ContextAI

The root cause is CWE-352 (Cross-Site Request Forgery): the file rescan backend endpoint fails to verify that incoming HTTP requests originate from the legitimate authenticated user rather than a forged cross-origin request. Browsers automatically attach session cookies to same-origin and cross-site requests, enabling an attacker-controlled page to silently submit state-changing requests on behalf of a logged-in victim. The affected component is specifically the rescan() method within concrete/controllers/backend/file, a backend administrative controller in the Concrete CMS PHP content management platform. The CPE string cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:* covers all Concrete CMS 9.x releases up to the fix. The CVSS v4.0 Attack Requirements field AT:P (Present) reflects that a prerequisite condition - an authenticated session - must exist for exploitation.

RemediationAI

Upgrade to Concrete CMS 9.5.1 or later, as indicated by the vendor's 9.5.1 release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes. This is a vendor-released patch and represents the primary recommended fix. If an immediate upgrade is not feasible, a compensating control is to restrict access to the /concrete/controllers/backend/file rescan endpoint at the web server or WAF layer, limiting it to trusted IP ranges - note this may impact legitimate administrative file management workflows. Additionally, ensuring that administrative users follow strict session hygiene (logging out after use, avoiding concurrent browsing during admin sessions) reduces the practical exploitation surface for this and other CSRF-class issues. No known workarounds fully substitute for the patch.

CVE-2021-22968 HIGH POC
7.2 Nov 19

A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co

CVE-2021-36766 HIGH POC
7.2 Jul 30

Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl

CVE-2020-24986 HIGH POC
7.2 Sep 04

Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File

CVE-2020-11476 HIGH POC
7.2 Jul 28

Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity

CVE-2018-13790 HIGH POC
7.2 Jul 09

A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-2994 MEDIUM POC
6.8 Mar 04

Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co

CVE-2017-8082 MEDIUM POC
6.5 Apr 24

concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in

CVE-2023-48648 CRITICAL
9.8 Nov 17

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec

CVE-2022-21829 CRITICAL
9.8 Jun 24

Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho

CVE-2021-22958 CRITICAL
9.8 Oct 07

A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad

CVE-2021-40098 CRITICAL
9.8 Sep 27

An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel

Share

CVE-2026-8433 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy