Description
Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with privileges to add blocks to an area can bypass the intended protection mechanism (_fromCIF === true), which normally restricts malicious inputs over form POST requests, by leveraging the REST API functionality. Because the REST API parses requests using json_decode(), the string "true" is evaluated as a strict PHP Boolean(true).  This bypass allows the attacker to inject a malicious serialized payload  into the block's filterFields database column. The payload will subsequently be executed when the block's data is viewed or edited by an administrator leading to complete server takeover (RCE).The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with a vector of CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H.  Thanks Nguyễn Văn Thiện https://github.com/Thien225409  for reporting
Published: 2026-05-21
Score: 8.9 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS version 9.5.0 and earlier contain an insecure deserialization flaw in the ExpressEntryList block controller that allows a rogue administrator to inject a malicious serialized payload. By abusing the REST API, which parses input with json_decode, the defensive check for a verified CIF flag can be bypassed when the JSON field is the string “true”. The attacker places this payload in the block’s filterFields column, and the payload is executed whenever an administrator views or edits the block, resulting in complete server takeover.

Affected Systems

All installations of Concrete CMS 9.5.0 and any earlier releases are affected. Products to monitor include the official Concrete CMS platform; no specific third‑party variants are listed. The vulnerability is tied to the ExpressEntryList block functionality present in these versions.

Risk and Exploitability

The flaw carries a CVSS v4.0 score of 8.9, indicating a high‑severity risk. Attackers must have administrative privileges that permit adding blocks, but the REST API provides a network‑based entry that can be used by anyone with those rights. Because the payload is executed at the time an administrator interacts with the block, exploitation can lead to full remote code execution. EPSS is not available, and the vulnerability is not currently listed in the CISA KEV catalogue, but the high CVSS rating and the necessity for elevated privileges underscore the importance of addressing it promptly.

Generated by OpenCVE AI on May 21, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to the latest release that removes the vulnerable deserialization code, ensuring the ExpressEntryList block controller has been patched.
  • Limit REST API access to trusted administrators only and enforce least‑privilege block‑creation permissions.
  • If an update is not immediately possible, disable or remove the ExpressEntryList block from all site areas to prevent exploitation until a patch is applied.

Generated by OpenCVE AI on May 21, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with privileges to add blocks to an area can bypass the intended protection mechanism (_fromCIF === true), which normally restricts malicious inputs over form POST requests, by leveraging the REST API functionality. Because the REST API parses requests using json_decode(), the string "true" is evaluated as a strict PHP Boolean(true).  This bypass allows the attacker to inject a malicious serialized payload  into the block's filterFields database column. The payload will subsequently be executed when the block's data is viewed or edited by an administrator leading to complete server takeover (RCE).The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with a vector of CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H.  Thanks Nguyễn Văn Thiện https://github.com/Thien225409  for reporting
Title Concrete CMS 9.5.0 and below is vulnerable to RCE due to insecure deserialization occurring in the ExpressEntryList block controller.
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T20:16:39.866Z

Reserved: 2026-05-07T17:54:13.820Z

Link: CVE-2026-8135

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T21:16:32.970

Modified: 2026-05-21T21:16:32.970

Link: CVE-2026-8135

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T22:00:13Z

Weaknesses