Description
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/duplicate. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Published: 2026-05-21
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Concrete CMS 9 versions prior to 9.5.0, an attacker can trigger a Cross Site Request Forgery against the event duplicate controller. The flaw allows the forging of a request to duplicate an event without the user’s explicit consent. The impact is limited to unintended event duplication, which may disrupt scheduling or lead to accidental data redundancy, but it does not provide direct access to sensitive data or code execution. The weakness is identified as CWE‑352 (Cross‑Site Request Forgery) and CWE‑1275 (Use of Unsafe Method for Sensitive Operations).

Affected Systems

The vulnerability affects Concrete CMS version 9 prior to 9.5.0. Users running any 9.x release that has not been updated to 9.5.0 or later are considered exposed.

Risk and Exploitability

The CVSS v4.0 score of 2.3 reflects a low risk severity. EPSS data is not available, and the issue is not listed in the CISA KEV catalog, indicating limited exploitation evidence. The likely attack vector would involve persuading a logged‑in, non‑privileged user to click a malicious link or visit a crafted page that triggers the duplicate action. Given the modest CVSS score and absence of publicly documented exploits, the risk profile remains low, though organizations should still verify whether any untrusted users might be able to initiate the duplicate operation.

Generated by OpenCVE AI on May 21, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Concrete CMS 9.5.0 or later, where the CSRF protection for event duplication has been implemented.
  • If an immediate upgrade is not possible, restrict access to the duplicate event dialog to privileged roles only, reducing the attack surface.
  • Enable or enforce CSRF token validation for all action endpoints, ensuring that duplicate requests without a valid token are rejected.

Generated by OpenCVE AI on May 21, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/duplicate. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Title Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/duplicate
Weaknesses CWE-1275
CWE-352
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T21:29:50.712Z

Reserved: 2026-05-12T17:07:21.117Z

Link: CVE-2026-8414

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T22:16:51.227

Modified: 2026-05-21T22:16:51.227

Link: CVE-2026-8414

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T22:30:20Z

Weaknesses