CVE-2026-8135
HighSummary
Concrete CMS versions 9.5.0 and below are vulnerable to Remote Code Execution due to insecure deserialization in the ExpressEntryList block controller. A rogue administrator can bypass the intended protection mechanism, allowing for the injection of a malicious payload into the database.
Risk Assessment
An attacker could gain complete control over the server, posing a serious threat to the organization's security. Exploiting this vulnerability may lead to data loss and compromise of system integrity.
Recommendation
It is recommended to update Concrete CMS to version 9.5.1 or later to mitigate this vulnerability. Additionally, restrict administrator privileges and monitor access to the REST API.
Original NVD description (English source)
Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with privileges to add blocks to an area can bypass the intended protection mechanism (_fromCIF === true), which normally restricts malicious inputs over form POST requests, by leveraging the REST API functionality. Because the REST API parses requests using json_decode(), the string "true" is evaluated as a strict PHP Boolean(true). This bypass allows the attacker to inject a malicious serialized payload into the block's filterFields database column. The payload will subsequently be executed when the block's data is viewed or edited by an administrator leading to complete server takeover (RCE).The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with a vector of CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks Nguyễn Văn Thiện https://github.com/Thien225409

