CVE Catalog

CVE-2026-10721

HighCVSS 8.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.02%

7th percentile - higher than 7% of all known CVEs

Summary

Concrete CMS versions below 9.5.2 are vulnerable to PHP Object Injection via unserialize() calls in the Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database.

Risk Assessment

This vulnerability could lead to serious security breaches, allowing attackers to execute arbitrary PHP code on the server. This may result in data loss or system takeover.

Recommendation

It is recommended to update Concrete CMS to version 9.5.2 or later to mitigate this vulnerability. Additionally, monitor and secure the database against malicious payloads.

Original NVD description (English source)

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the  in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 for reporting.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS