CVE Catalog

CVE-2026-8135

High
Published: Translated: NVD NIST

Summary

Concrete CMS versions 9.5.0 and below are vulnerable to Remote Code Execution due to insecure deserialization in the ExpressEntryList block controller. A rogue administrator can bypass the intended protection mechanism, allowing for the injection of a malicious payload into the database.

Risk Assessment

An attacker could gain complete control over the server, posing a serious threat to the organization's security. Exploiting this vulnerability may lead to data loss and compromise of system integrity.

Recommendation

It is recommended to update Concrete CMS to version 9.5.1 or later to mitigate this vulnerability. Additionally, restrict administrator privileges and monitor access to the REST API.

Original NVD description (English source)

Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with privileges to add blocks to an area can bypass the intended protection mechanism (_fromCIF === true), which normally restricts malicious inputs over form POST requests, by leveraging the REST API functionality. Because the REST API parses requests using json_decode(), the string "true" is evaluated as a strict PHP Boolean(true).  This bypass allows the attacker to inject a malicious serialized payload  into the block's filterFields database column. The payload will subsequently be executed when the block's data is viewed or edited by an administrator leading to complete server takeover (RCE).The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with a vector of CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H.  Thanks Nguyễn Văn Thiện https://github.com/Thien225409

Vulnerability data from NVD (NIST) · CISA KEV · EPSS