Description
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Published: 2026-05-21
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS versions 9 prior to 9.5.0 allow a remote attacker to forge requests to the bulk design dialog controller, enabling the attacker to influence the appearance of multiple pages without the user’s consent. The underlying weakness follows CWE‑352 – a lack of proper verification of CSRF tokens – combined with CWE‑1275, which reflects insufficient checks on the user’s authorization level. As a result, an attacker could alter site styling for a subset of pages, but there is no evidence of direct data theft or full control.

Affected Systems

Concrete CMS installations running any 9.x release earlier than 9.5.0 are affected. The vulnerability is tied to the controller located at concrete/controllers/dialog/page/bulk/design, which is part of the core package distributed by the CMS vendor.

Risk and Exploitability

The CVSS v4.0 score is 2.3, indicating a low overall risk. The EPSS score is not currently available, so the exploitation probability is undetermined. The vulnerability is not listed in the CISA KEV catalog. Attackers would need a user session that has sufficient permissions to invoke the bulk design action; the vector appears to be user‑initiated or an untrusted request that bypasses the CSRF token. Because the impact is limited to design changes, the overall threat remains low but it could be leveraged by a malicious user to subvert branding or phishing attempts.

Generated by OpenCVE AI on May 21, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to version 9.5.0 or later to apply the vendor‑supplied CSRF protection
  • Verify that all custom bulk‑design endpoints validate a CSRF token before applying changes
  • Restrict the bulk‑design operation to privileged roles only, ensuring users without appropriate privileges cannot trigger the controller

Generated by OpenCVE AI on May 21, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Title Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design
Weaknesses CWE-1275
CWE-352
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T21:30:28.303Z

Reserved: 2026-05-12T17:05:12.650Z

Link: CVE-2026-8413

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T22:16:51.110

Modified: 2026-05-21T22:16:51.110

Link: CVE-2026-8413

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T22:30:20Z

Weaknesses