Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
AnalysisAI
Cross-Site Request Forgery (CSRF) in Concrete CMS 9.x through 9.5.0 allows a remote unauthenticated attacker to trigger unauthorized file rescanning via the rescanMultiple() function in the backend file controller, provided a logged-in user can be lured to interact with an attacker-crafted page. The integrity impact is limited to the vulnerable component, with no confidentiality or availability consequence. No public exploit or active exploitation has been identified; the Concrete CMS security team assigned a CVSS v4.0 score of 2.3, reflecting the low real-world impact and the prerequisite of user interaction and specific attack conditions.
Technical ContextAI
Concrete CMS is an open-source PHP content management system. The vulnerability resides in the backend file management controller at concrete/controllers/backend/file, specifically the rescanMultiple() method, which rescans one or more uploaded files. This endpoint does not implement adequate CSRF token validation, meaning a forged cross-origin HTTP request can invoke the action on behalf of a legitimately authenticated user. CWE-352 (Cross-Site Request Forgery) describes the root cause: the server accepts state-changing requests without verifying that the request originated from the trusted application interface rather than an external, attacker-controlled source. The CPE string cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:* applies to the affected version range. The CVSS 4.0 vector's AT:P (Attack Requirements Present) component aligns with the inherent CSRF precondition that the targeted user must already hold an active authenticated session.
RemediationAI
The primary remediation is to upgrade Concrete CMS to version 9.5.1, which is indicated as the fixed release per the vendor's release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes. If an immediate upgrade is not feasible, a compensating control is to restrict access to the backend file management interface (concrete/controllers/backend/file) via web server configuration (e.g., IP allowlisting or authentication gateway), which reduces the attack surface by limiting who can be a valid CSRF target. This workaround has the trade-off of potentially restricting legitimate editor workflows. Given the low severity (CVSS 4.0: 2.3), this issue should be addressed as part of a routine patching cycle rather than an emergency response.
More in Concrete Cms
View allA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co
Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad
An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31366
GHSA-6qjh-p324-694f