CVE Catalog

CVE-2026-8421

High
Published: Translated: NVD NIST

Summary

Concrete CMS versions 9.5.0 and below contain a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php. An attacker can force the installation of a package without CSRF protection if they can entice an authenticated administrator to visit a crafted page.

Risk Assessment

This vulnerability could lead to remote code execution, posing a serious threat to the security of the system and the organization's data.

Recommendation

It is recommended to update Concrete CMS to the latest version to mitigate this vulnerability and implement additional safeguards against CSRF attacks.

Original NVD description (English source)

Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php.  An attacker who can cause an authenticated administrator to visit a crafted page,  and who has placed or caused a package to be present under DIR_PACKAGES/<handle>/, can force the installation of that package without any CSRF protection. Package installation executes the package controller's install() method as the web server user, enabling remote code execution.  In order to be vulnerable, the victim must be passing canInstallPackages. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks  https://github.com/maru1009  for reporting.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS