CVE-2026-8421
HighSummary
Concrete CMS versions 9.5.0 and below contain a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php. An attacker can force the installation of a package without CSRF protection if they can entice an authenticated administrator to visit a crafted page.
Risk Assessment
This vulnerability could lead to remote code execution, posing a serious threat to the security of the system and the organization's data.
Recommendation
It is recommended to update Concrete CMS to the latest version to mitigate this vulnerability and implement additional safeguards against CSRF attacks.
Original NVD description (English source)
Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php. An attacker who can cause an authenticated administrator to visit a crafted page, and who has placed or caused a package to be present under DIR_PACKAGES/<handle>/, can force the installation of that package without any CSRF protection. Package installation executes the package controller's install() method as the web server user, enabling remote code execution. In order to be vulnerable, the victim must be passing canInstallPackages. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting.

