Description
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete.  The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Published: 2026-05-21
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS versions 9 prior to 9.5.0 contain a cross‑site request forgery flaw in the bulk delete logs controller. An attacker who can trick an authenticated user into visiting a crafted URL can cause that user to delete log entries without authorization, potentially erasing audit trails. The vulnerability is classified as CWE‑352 (Cross‑Site Request Forgery). The flaw does not directly grant arbitrary code execution or data disclosure, but it can degrade the integrity of system logs and hinder forensic investigations.

Affected Systems

The affected product is Concrete CMS version 9. Concrete CMS releases the fix in 9.5.0, therefore all installations on version 9 before that release are vulnerable. There is no specific sub‑version number listed beyond the major release 9.5.0 in the vendor information.

Risk and Exploitability

The CVSS 4.0 score is 2.3, indicating low severity. EPSS data is not available and the vulnerability is not included in the CISA KEV catalog, suggesting that exploitation is currently unlikely. Exploitation would require the victim to be authenticated to the site and to have permission to delete logs; the attacker would need to lure the user to the malicious URL. No public exploit has been reported, and the low CVSS coupled with the lack of an exploitation vector in the wild reduces the immediate risk but does not eliminate potential abuse.

Generated by OpenCVE AI on May 21, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to version 9.5.0 or later to eliminate the CSRF vulnerability.
  • If an immediate upgrade is not feasible, restrict or disable the bulk delete logs functionality and limit permissions for the affected module to trusted administrative accounts.
  • Educate users to avoid clicking unexpected links, and monitor the audit log for evidence of suspicious deletions to detect potential misuse.

Generated by OpenCVE AI on May 21, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete.  The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Title Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete
Weaknesses CWE-1275
CWE-352
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T21:32:53.373Z

Reserved: 2026-05-12T16:44:28.592Z

Link: CVE-2026-8410

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T22:16:50.747

Modified: 2026-05-21T22:16:50.747

Link: CVE-2026-8410

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T22:30:20Z

Weaknesses