Description
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Published: 2026-05-21
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS versions prior to 9.5.0 have an endpoint at concrete/controllers/dialog/page/bulk/cache that does not verify a CSRF token. The flaw enables an attacker to cause the backend to clear cached page data, resulting in functional disruption of cached content. The weakness is categorized as CWE‑352, reflecting missing anti‑CSRF protection.

Affected Systems

Concrete CMS 9.x releases earlier than 9.5.0 are affected, including 9.0 through 9.4.x. The issue is fixed in version 9.5.0 and later, so only sites running those older releases need to address the vulnerability.

Risk and Exploitability

The CVSS score of 2.3 indicates low overall severity, and the EPSS score is not available, implying a low likelihood of exploitation in the wild. Exploitation is likely to involve an authenticated user, though the CVE description does not explicitly confirm this. Although the vulnerability is not listed in CISA KEV, organizations should still evaluate the risk of exposing a functional endpoint that could be abused for denial‑of‑service or targeted cache manipulation.

Generated by OpenCVE AI on May 21, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to version 9.5.0 or newer, which adds CSRF protection to the bulk cache endpoint.
  • If an immediate upgrade is not feasible, block or restrict access to concrete/controllers/dialog/page/bulk/cache using firewall rules or server‑level ACLs so that only legitimate administrative traffic can reach the endpoint.
  • Treat cache clearing requests as administrative actions and monitor logs for requests lacking a valid CSRF token, flagging anomalous activity for review.

Generated by OpenCVE AI on May 21, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 22 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Title Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache
Weaknesses CWE-1275
CWE-352
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-22T13:05:28.116Z

Reserved: 2026-05-12T17:01:17.683Z

Link: CVE-2026-8412

cve-icon Vulnrichment

Updated: 2026-05-22T13:05:24.012Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-21T22:16:50.990

Modified: 2026-05-26T18:25:09.987

Link: CVE-2026-8412

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T23:30:22Z

Weaknesses
  • CWE-1275

    Sensitive Cookie with Improper SameSite Attribute

  • CWE-352

    Cross-Site Request Forgery (CSRF)