Concrete CMS versions 9.5.0 and earlier contain a flaw that allows an authenticated user with composer form editing rights to introduce path traversal sequences when saving a composer form layout. The vulnerable field permits inclusion of arbitrary readable files on the server and, when combined with the file uploader’s extension‑only validation that allows PHP code in files saved with image extensions, this can lead to remote code execution. This is a high‑severity vulnerability identified as CWE‑23, CWE‑434 and CWE‑98, exposing confidentiality, integrity and availability at the system level for attackers who can obtain administrative credentials or appropriate composer form permissions.

The affected product is Concrete CMS, specifically all releases up to and including 9.5.0. Any deployment of Concrete CMS 9.5.0 or earlier is vulnerable; newer releases are presumed fixed.

The CVSS v4.0 score of 9.4 indicates a critical level of risk. Exploitation requires authenticated access with composer form editing rights, so an attacker who compromises or masquerades as an administrator can trigger the exploit. The EPSS score is not available, but the high CVSS and the lack of mitigation in the vulnerable code suggest a significant risk if vulnerable systems are not patched. The vulnerability is not listed in the CISA KEV catalog. The attack vector is local to the system through the web interface, and the availability of the web application provides the necessary path for exploitation.