Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
AnalysisAI
Cross-Site Request Forgery in Concrete CMS 9.x allows a remote unauthenticated attacker to trigger unauthorized reordering of Express Object associations by tricking an authenticated user into visiting a crafted page. The vulnerability targets the endpoint concrete/controllers/dialog/express/association/reorder, with impact limited to low-severity integrity modification of the vulnerable system only. No public exploit has been identified at time of analysis, and the low CVSS v4.0 score of 2.3 reflects the combination of required user interaction, specific prerequisite conditions (AT:P), and limited data impact.
Technical ContextAI
Concrete CMS is a PHP-based content management system. The affected endpoint (concrete/controllers/dialog/express/association/reorder) is part of the Express Objects subsystem, a feature that allows developers to define custom data objects and associations within the CMS. CWE-352 (Cross-Site Request Forgery) describes a class of vulnerabilities where a web application does not sufficiently verify that a request was intentionally made by the authenticated user. In this case, the reorder endpoint appears to lack CSRF token validation, meaning a forged cross-origin request submitted on behalf of a logged-in user would be processed as legitimate. The CPE string (cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:*) confirms this affects the canonical ConcreteCMS application. The CVSS 4.0 vector introduces the AT:P (Attack Requirements: Present) field, indicating specific deployment or user-state preconditions beyond just having a logged-in session - likely that the victim must have access to the Express associations management area.
RemediationAI
Upgrade Concrete CMS to version 9.5.0 or later; the reference URL https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes points to the 9.5.1 release notes, suggesting 9.5.1 may be the definitive patched release - organizations should target 9.5.1 or the latest available 9.x release to resolve this and any subsequent issues. Given the low impact of the vulnerability (limited to integrity of Express association ordering), immediate emergency patching is not warranted for most environments, but the fix should be included in the next scheduled CMS maintenance cycle. If patching is delayed, a compensating control is to restrict access to the Express Objects management interface to trusted administrator roles only and ensure that users with Express association management permissions are educated about phishing and cross-site attacks. No meaningful network-level blocking is applicable since the endpoint is a legitimate application feature.
More in Concrete Cms
View allA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co
Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad
An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31371
GHSA-xj25-753j-wgp9