Description
Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php.  An attacker who can cause an authenticated administrator to visit a crafted page,  and who has placed or caused a package to be present under DIR_PACKAGES/<handle>/, can force the installation of that package without any CSRF protection. Package installation executes the package controller's install() method as the web server user, enabling remote code execution.  In order to be vulnerable, the victim must be passing canInstallPackages. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks  https://github.com/maru1009  for reporting.
Published: 2026-05-21
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS versions 9.5.0 and earlier contain a cross‑site request forgery flaw in the install_package() method of the dashboard extend component. When an attacker can make an authenticated administrator visit a crafted page while a malicious package exists under DIR_PACKAGES/<handle>/, the action bypasses the CSRF check and forces the package to install. The package’s install() routine executes under the web server user, giving the attacker remote code execution capabilities. This is a CWE‑352 weakness that can compromise confidentiality, integrity, and availability of the web application and underlying server.

Affected Systems

The vulnerability affects all Concrete CMS installations of version 9.5.0 and below, regardless of configuration, as the flaw exists in the core install handling code.

Risk and Exploitability

The CVSS v4.0 score of 7.5 indicates high severity. The exploit requires network access (remote), the presence of a privileged administrator, and the deployment of a malicious package, which limits the potential attack surface but still poses a significant risk. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalogue, but the identified impact and severity suggest that handling this flaw promptly is essential.

Generated by OpenCVE AI on May 21, 2026 at 22:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to the latest release or apply the vendor patch that addresses the install_package CSRF vulnerability.
  • Remove any untrusted packages from DIR_PACKAGES; ensure only authorized packages are present.
  • Restrict administrator access, enforce strict authentication, and enable CSRF protection on all admin pages; consider implementing a web application firewall to detect and block crafted install requests.

Generated by OpenCVE AI on May 21, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php.  An attacker who can cause an authenticated administrator to visit a crafted page,  and who has placed or caused a package to be present under DIR_PACKAGES/<handle>/, can force the installation of that package without any CSRF protection. Package installation executes the package controller's install() method as the web server user, enabling remote code execution.  In order to be vulnerable, the victim must be passing canInstallPackages. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks  https://github.com/maru1009  for reporting.
Title Concrete CMS 9.5.0 and below is vulnerable to CSRF on install_package() with conditional token bypass leading to RCE
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T20:25:11.868Z

Reserved: 2026-05-12T17:45:47.269Z

Link: CVE-2026-8421

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T21:16:34.107

Modified: 2026-05-21T21:16:34.107

Link: CVE-2026-8421

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T22:45:21Z

Weaknesses