CVE-2026-8416
HighSummary
Concrete CMS version 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) in the addFavoriteFolder($id) method in the backend controller.
Risk Assessment
An attacker could exploit this vulnerability to perform unauthorized actions on behalf of the user, potentially leading to unauthorized access to data.
Recommendation
It is recommended to update Concrete CMS to version 9.5.0 or later to mitigate this vulnerability.
Original NVD description (English source)
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

