Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete. The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
AnalysisAI
CSRF vulnerability in Concrete CMS 9.x before 9.5.0 allows a network-based attacker to trigger unauthorized log deletion by tricking an authenticated user into visiting a crafted page that silently issues a forged request to the concrete/controllers/dialog/logs/delete endpoint. The Concrete CMS security team assigned this a CVSS v4.0 score of 2.3, reflecting low integrity impact and the presence of attack prerequisites. No public exploit code has been identified and it is not listed in the CISA KEV catalog.
Technical ContextAI
The vulnerability is rooted in CWE-352 (Cross-Site Request Forgery), a class of flaws where state-changing server-side actions lack adequate origin validation, allowing a third-party page to issue authenticated requests on behalf of a logged-in user. The specific endpoint - concrete/controllers/dialog/logs/delete - handles deletion of CMS application logs. Concrete CMS is a PHP-based content management system; the affected product line is version 9.x, with CPE data not explicitly provided in this advisory but inferrable as cpe:2.3:a:concretecms:concrete_cms:9.*:*. The CVSS 4.0 vector includes AT:P (Attack Requirements: Present), signaling that a specific prerequisite condition beyond mere network reachability must be met, consistent with CSRF requiring an authenticated session on the victim's browser.
RemediationAI
Upgrade to Concrete CMS 9.5.0 or later; the CVE description identifies 9.5.0 as the first fixed release, with version 9.5.1 release notes available at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes providing additional context. Upgrading to 9.5.1 is advisable given the reference points to that version. If immediate patching is not feasible, a compensating control is to restrict access to the log deletion dialog to specific trusted IP ranges via network-layer ACLs or web server configuration, reducing the pool of users who could be targeted by CSRF. Additionally, ensuring that CMS admin accounts use short session timeouts reduces the window during which a forged request can succeed. Note that these workarounds do not eliminate the vulnerability and add operational friction; they should be treated as temporary measures only.
More in Concrete Cms
View allA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co
Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad
An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31378
GHSA-56c9-xq5g-xrf9