Description
Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the  in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 for reporting.
Published: 2026-06-10
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS versions below 9.5.2 are susceptible to PHP Object Injection through unintended unserialize calls in the Permission, Cache, and Search components. When a maliciously crafted serialized payload is stored in the database, an unauthenticated attacker can trigger arbitrary PHP object instantiation. This vulnerability aligns with the CWE‑502 weakness of insecure deserialization and can potentially lead to remote code execution.

Affected Systems

Affected products include Concrete CMS running any release earlier than 9.5.2. The vulnerability specifically targets functionality within the Permission, Cache, and Search modules, requiring that the attacker be able to place a malicious serialized object in the database.

Risk and Exploitability

The CVSS base score of 8.4 indicates a high severity, although the EPSS score is unavailable and the flaw is not yet flagged in CISA’s KEV catalog. Based on the description, the attack vector is likely data injection into the database, requiring the attacker to have write access or exploit a feature that allows arbitrary data storage. Successful exploitation would enable an attacker to instantiate arbitrary PHP objects, effectively achieving remote code execution with the privileges of the web application.

Generated by OpenCVE AI on June 10, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to version 9.5.2 or newer to eliminate the vulnerable unserialize usage.
  • Ensure any serialized data stored in the database is validated or sanitized before being passed to unserialize, or replace unserialize calls with safer alternatives.
  • Limit database write permissions to trusted users and enforce strict input validation to prevent attackers from inserting malicious serialized payloads.

Generated by OpenCVE AI on June 10, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Wed, 10 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
Description Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the  in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 for reporting.
Title Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-06-10T06:59:03.161Z

Reserved: 2026-06-02T23:28:41.906Z

Link: CVE-2026-10721

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T08:16:22.330

Modified: 2026-06-10T08:16:22.330

Link: CVE-2026-10721

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T09:30:15Z

Weaknesses