CVE-2026-8434
HighSummary
Concrete CMS version 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) in the rescanMultiple() method of the backend file controller.
Risk Assessment
Exploitation of this vulnerability could lead to unauthorized actions being performed on behalf of the user, jeopardizing data integrity and system security.
Recommendation
It is recommended to update Concrete CMS to version 9.5.0 or later to mitigate this vulnerability.
Original NVD description (English source)
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

