Skip to main content

PHP EUVDEUVD-2026-14895

| CVE-2026-30662 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-03-24 mitre GHSA-p68c-rmfh-j48h
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 24, 2026 - 14:45 euvd
EUVD-2026-14895
Analysis Generated
Mar 24, 2026 - 14:45 vuln.today
CVE Published
Mar 24, 2026 - 00:00 nvd
MEDIUM 6.5

DescriptionCVE.org

ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creating zip archives. It uses 'ZipArchive::addFromString' combined with 'file_get_contents', which loads the entire content of every selected file into PHP memory. An authenticated attacker can exploit this by requesting a bulk download of large files, triggering an Out-Of-Memory (OOM) condition that causes the PHP-FPM process to terminate (SIGSEGV) and the web server to return a 500 error.

AnalysisAI

ConcreteCMS version 9.4.7 contains a memory exhaustion vulnerability in the File Manager's download functionality that allows authenticated attackers to trigger a Denial of Service condition. The vulnerability exists in the 'download' method of 'concrete/controllers/backend/file.php', where improper memory management during zip archive creation using ZipArchive::addFromString combined with file_get_contents loads entire file contents into PHP memory without streaming or size validation. An attacker with valid authentication credentials can exploit this by requesting bulk downloads of large files, exhausting available PHP memory and causing the PHP-FPM process to crash with a SIGSEGV signal, rendering the web application unavailable with HTTP 500 errors.

Technical ContextAI

The vulnerability exploits a common PHP memory management antipattern in the ZipArchive class implementation. The vulnerable code path uses file_get_contents to load complete file contents into memory before passing them to ZipArchive::addFromString, bypassing the streaming capabilities that ZipArchive provides through addFile and other methods. This is a classic instance of CWE-400 (Uncontrolled Resource Consumption) or CWE-770 (Allocation of Resources Without Limits or Throttling). ConcreteCMS, a PHP-based content management system, is affected in version 9.4.7. The issue manifests because PHP's default memory_limit configuration is fixed, and the vulnerable code loads all requested files simultaneously rather than processing them incrementally, making it trivial for an authenticated user to allocate more memory than the PHP process can handle.

RemediationAI

Upgrade ConcreteCMS to the latest version that includes a patch for this vulnerability (check the ConcreteCMS project repository for version 9.4.8 or later, or the latest stable release). The primary fix involves refactoring the file download handler to use streaming-based approaches such as ZipArchive::addFile instead of loading file contents into memory via file_get_contents, or implementing chunked reading with explicit memory limits per operation. Until a patch can be deployed, implement the following workarounds: restrict File Manager access to trusted administrators only via role-based access control and disable bulk download functionality if possible via configuration or by modifying the controller temporarily. Additionally, configure PHP memory_limit to a reasonable but not excessive value (e.g., 256MB to 512MB) to limit the impact of any single request, and monitor PHP-FPM error logs for SIGSEGV signals as an early warning of exploitation attempts. Consult the official ConcreteCMS security advisory and release notes for the exact patched version and deployment instructions.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

EUVD-2026-14895 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy