Skip to main content

Concrete CMS EUVDEUVD-2026-31369

| CVE-2026-8432 LOW
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-21 ConcreteCMS GHSA-97jw-gr4m-c5v8
2.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 22:38 vuln.today

DescriptionCVE.org

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

AnalysisAI

Cross-Site Request Forgery (CSRF) in Concrete CMS 9.x before 9.5.1 allows a remote unauthenticated attacker to trigger unauthorized file-starring actions on behalf of an authenticated victim by luring them to a malicious page. The vulnerable endpoint is concrete/controllers/backend/file/star(), and successful exploitation results in a low-integrity modification of file bookmark state within the CMS. No public exploit code has been identified at time of analysis, and the Concrete CMS security team assigned this a CVSS v4.0 score of 2.3, reflecting its narrow, low-impact scope.

Technical ContextAI

The vulnerability resides in Concrete CMS's backend file management controller at concrete/controllers/backend/file/star(), which handles user-specific file starring (bookmarking) actions. CWE-352 (Cross-Site Request Forgery) describes a class of flaws where state-changing server-side operations lack adequate origin verification, allowing attacker-crafted cross-origin requests to be executed under the identity of an authenticated user. The CVSS v4.0 vector includes AT:P (Attack Target Presence), indicating that exploitation requires a victim who is actively authenticated to the Concrete CMS instance. The affected CPE is cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:* spanning versions 9.0 through the version range just before the fix. The root cause is the absence of CSRF token validation or SameSite cookie enforcement on the file-starring endpoint.

RemediationAI

Upgrade Concrete CMS to version 9.5.1 or later. The fix is documented in the vendor's official release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes. If immediate patching is not feasible, a compensating control is to configure session cookies with the SameSite=Strict or SameSite=Lax attribute at the web server or reverse proxy layer, which prevents cross-origin requests from carrying authenticated session credentials and directly mitigates CSRF risk; note this may affect cross-domain integrations if any are in use. Additionally, restricting access to the /concrete/controllers/backend/ path via a web application firewall or reverse proxy to only authenticated internal networks reduces the attack surface, at the cost of preventing remote-authenticated admin workflows.

CVE-2021-22968 HIGH POC
7.2 Nov 19

A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co

CVE-2021-36766 HIGH POC
7.2 Jul 30

Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl

CVE-2020-24986 HIGH POC
7.2 Sep 04

Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File

CVE-2020-11476 HIGH POC
7.2 Jul 28

Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity

CVE-2018-13790 HIGH POC
7.2 Jul 09

A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-2994 MEDIUM POC
6.8 Mar 04

Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co

CVE-2017-8082 MEDIUM POC
6.5 Apr 24

concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in

CVE-2023-48648 CRITICAL
9.8 Nov 17

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec

CVE-2022-21829 CRITICAL
9.8 Jun 24

Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho

CVE-2021-22958 CRITICAL
9.8 Oct 07

A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad

CVE-2021-40098 CRITICAL
9.8 Sep 27

An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel

Share

EUVD-2026-31369 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy