CVE-2026-30662 - Vulnerability Details

- ConcreteCMS Bulk Download OOM Denial of Service

Description

ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creating zip archives. It uses 'ZipArchive::addFromString' combined with 'file_get_contents', which loads the entire content of every selected file into PHP memory. An authenticated attacker can exploit this by requesting a bulk download of large files, triggering an Out-Of-Memory (OOM) condition that causes the PHP-FPM process to terminate (SIGSEGV) and the web server to return a 500 error.

Published: 2026-03-24

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

ConcreteCMS version 9.4.7 contains a denial‑of‑service vulnerability in the File Manager’s bulk download function. The controller uses ZipArchive::addFromString combined with file_get_contents, loading each selected file into PHP memory; this flaw is identified as a CWE‑400 memory management weakness. When an attacker selects large files for download, PHP‑FPM exhausts memory, crashes with a SIGSEGV, and the web server returns a 500 error, disrupting service for all users.

Affected Systems

Only the 9.4.7 release of ConcreteCMS that has the File Manager bulk‑download feature enabled is affected. The issue resides in concrete/controllers/backend/file.php and does not apply to newer releases where the zip creation process has been patched or constrained.

Risk and Exploitability

The CVSS score of 6.5 signals a medium severity. No EPSS score is available and the flaw is not yet recorded in CISA’s KEV catalog. Exploitation requires authenticated access; an attacker who can log in to the CMS can trigger the OOM by initiating a bulk download of large files. The attack does not compromise confidentiality or integrity, but it can cause temporary availability outages until the PHP process restarts or the server is recovered.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:concretecms:concrete_cms:9.4.7:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Concretecms

Concrete Cms

100%

Version	Status	Scheme	Platform
`9.4.7`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade ConcreteCMS to version 9.4.8 or later
If an upgrade cannot be performed immediately, disable or restrict the bulk‑download feature to prevent creation of large ZIP archives
Monitor PHP‑FPM for crashes and implement high‑availability or redundancy to mitigate downtime

Generated by OpenCVE AI on March 24, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-p68c-rmfh-j48h	ConcreteCMS is vulnerable to Denial of Service During Bulk Downloads

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00051.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://wang1rrr.github.io/2026/02/11/CVE-Report-ConcreteCMS-DoS/

History

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Title		ConcreteCMS Bulk Download OOM Denial of Service

Tue, 24 Mar 2026 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Concretecms Concretecms concrete Cms
CPEs		cpe:2.3:a:concretecms:concrete_cms:9.4.7:::::::*
Vendors & Products		Concretecms Concretecms concrete Cms

Tue, 24 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 24 Mar 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creating zip archives. It uses 'ZipArchive::addFromString' combined with 'file_get_contents', which loads the entire content of every selected file into PHP memory. An authenticated attacker can exploit this by requesting a bulk download of large files, triggering an Out-Of-Memory (OOM) condition that causes the PHP-FPM process to terminate (SIGSEGV) and the web server to return a 500 error.
References		https://wang1rrr.github.io/2026/02/11/CVE-Report-ConcreteCMS-DoS/

Subscriptions

Concretecms Concrete Cms

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-03-24T00:00:00.000Z

Updated: 2026-03-24T18:49:37.326Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30662

Vulnrichment

Updated: 2026-03-24T18:49:31.920Z

NVD

Status : Modified

Published: 2026-03-24T15:16:34.457

Modified: 2026-03-24T20:16:27.010

Link: CVE-2026-30662

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T20:40:51Z

Weaknesses

CWE-400

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object