Description
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Published: 2026-05-21
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS 9 versions earlier than 9.5.0 allow an attacker to send a forged request to the bulk delete page endpoint, potentially deleting site pages without the user’s intent. This Cross‑Site Request Forgery weakness does not directly grant execution privileges but can lead to accidental data loss or site disruption. The severity is rated low with a CVSS v4.0 score of 2.3, reflecting that the exploit requires an authenticated user to be tricked into visiting the malicious URL and that the impact is limited to the targeted pages.

Affected Systems

The vulnerability affects all releases of Concrete CMS 9 up to, but not including, 9.5.0. Users running any 9.x version should verify their installed patch level and upgrade if necessary.

Risk and Exploitability

The risk is moderate because the vulnerability needs user interaction and there is no automated exploitation vector. The EPSS score is currently unavailable, but the lack of listing in the CISA KEV catalog suggests low exploitation pressure. Attackers would likely craft a malicious link or form that forces an authenticated administrator or content editor to execute the bulk delete operation, resulting in unwanted content removal.

Generated by OpenCVE AI on May 21, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Concrete CMS 9 patch (9.5.0 or newer) to remove the vulnerable endpoint.
  • If an immediate upgrade is not possible, disable the bulk delete function or restrict it to high‑privilege roles only.
  • Configure the web application firewall or similar controls to block unauthenticated requests to the bulk delete URL and enforce proper CSRF token validation.

Generated by OpenCVE AI on May 21, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Title Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete
Weaknesses CWE-1275
CWE-352
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T21:32:01.804Z

Reserved: 2026-05-12T16:48:52.121Z

Link: CVE-2026-8411

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T22:16:50.870

Modified: 2026-05-21T22:16:50.870

Link: CVE-2026-8411

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T22:30:20Z

Weaknesses