Description
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Published: 2026-05-21
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS version 9 prior to 9.5.0 contains a cross‑site request forgery vulnerability in the addFavoriteFolder controller. An attacker who tricks a logged‑in user into visiting a crafted URL can add a folder to the user’s favorites without authorization. The flaw does not allow code execution or compromise of server credentials, so the impact is limited to unauthorized modification of the user’s preferred items and potential link tracking, resulting in a low severity CVSS score of 2.3.

Affected Systems

The affected product is Concrete CMS, any installation of version 9 prior to 9.5.0. The vulnerability is present in the backend file controller addFavoriteFolder action.

Risk and Exploitability

Given the CVSS vector AV:N/AC:L/AT:P/PR:N/UI:P, an attacker would need to convince a legitimate user to perform an action in a web browser—typically by inserting a malicious link or form. Exploit probability is likely low, and the EPSS score is not published; CISA KEV does not list this issue. The this low severity and requirement for user interaction means the risk to most deployments is modest, but there is still potential for annoyance and small data integrity impacts.

Generated by OpenCVE AI on May 21, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to version 9.5.0 or later, which removes the CSRF flaw in addFavoriteFolder.
  • If upgrading immediately is not possible, restrict access to the backend controllers so that the addFavoriteFolder endpoint requires a valid CSRF token and is only reachable after proper authentication; deny anonymous or unauthenticated requests to that path.
  • Enforce session‑only or short‑lived sessions for administrative users and require re‑authentication for critical actions to reduce the window in which a CSRF attack can succeed.

Generated by OpenCVE AI on May 21, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Title Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id)
Weaknesses CWE-1275
CWE-352
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T21:28:32.664Z

Reserved: 2026-05-12T17:10:56.402Z

Link: CVE-2026-8416

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T22:16:51.467

Modified: 2026-05-21T22:16:51.467

Link: CVE-2026-8416

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T22:30:20Z

Weaknesses