Description
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete.  The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Published: 2026-05-21
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Concrete CMS versions 9.x prior to 9.5.0, a Cross‑Site Request Forgery flaw exists at concrete/controllers/dialog/logs/delete. An attacker who successfully tricks an authenticated user into visiting a crafted URL can cause the system to delete log entries. While the vulnerability does not directly expose sensitive data or grant arbitrary code execution, it compromises the integrity of the audit trail and may hinder forensic investigations. The weakness is classified as CWE‑352 and CWE‑1275.

Affected Systems

Concrete CMS 9.x versions before 9.5.0, including all releases from 9.0 through 9.4.x. The flaw affects the log deletion dialog controller, which is part of the core Concrete CMS application.

Risk and Exploitability

The flaw has a CVSS score of 2.3, indicating a low severity impact. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Successful exploitation requires an authenticated session and the victim to open a malicious link, suggesting a user‑interaction attack vector. Because the damage is limited to deleting logs, the overall risk to confidentiality and availability is minimal, and the likelihood of widespread exploitation remains low.

Generated by OpenCVE AI on May 21, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to version 9.5.0 or later, which includes the CSRF protection fix for the log deletion dialog.
  • After upgrading, verify that CSRF tokens are properly enforced for all delete operations and that the dialog requires a confirmation step.
  • Audit user permissions to ensure only authorized administrators can delete logs and monitor log deletion activity for anomalous behavior.

Generated by OpenCVE AI on May 21, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete.  The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Title Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete
Weaknesses CWE-1275
CWE-352
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-22T13:04:09.457Z

Reserved: 2026-05-12T16:24:33.167Z

Link: CVE-2026-8409

cve-icon Vulnrichment

Updated: 2026-05-22T13:04:05.897Z

cve-icon NVD

Status : Received

Published: 2026-05-21T22:16:50.623

Modified: 2026-05-21T22:16:50.623

Link: CVE-2026-8409

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T23:30:22Z

Weaknesses