Description
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Published: 2026-05-21
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS 9 before 9.5.0 contains a CSRF flaw in the concrete/controllers/backend/file removeFavoriteFolder($id) endpoint. A malicious actor can craft a request that will delete a user’s favorite folder without the user’s knowledge, compromising data integrity but not exposing confidential data or availability. The weakness is classified as CSRF (CWE‑352) and limits the attacker to actions that the authenticated user is permitted to perform, such as folder deletion.

Affected Systems

All releases of Concrete CMS 9 prior to version 9.5.0. The vulnerability resides in the backend file controller that handles the removeFavoriteFolder action. No specific patch versions are listed beyond the recommendation to upgrade to 9.5.0 or newer.

Risk and Exploitability

With a CVSS v4.0 score of 2.3 the issue is labeled low severity. No EPSS score is provided, and it is not listed in the CISA KEV catalog. The attack vector is inferred to be remote and requires the victim to be actively authenticated; a compromised session can be hijacked by a malicious site that forces the victim to issue a removeFavoriteFolder request. Because user interaction is needed, the probability of exploitation is moderate but limited to situations where the user is logged in.

Generated by OpenCVE AI on May 21, 2026 at 22:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to version 9.5.0 or later
  • If an upgrade is not feasible, modify the backend file controller to enforce CSRF token validation for the removeFavoriteFolder action
  • Audit system logs for unexpected removeFavoriteFolder requests and tighten permissions for favorite folder management

Generated by OpenCVE AI on May 21, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 22 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Title Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id)
Weaknesses CWE-1275
CWE-352
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-22T12:33:06.631Z

Reserved: 2026-05-12T18:03:52.955Z

Link: CVE-2026-8427

cve-icon Vulnrichment

Updated: 2026-05-22T12:32:56.594Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-21T22:16:51.580

Modified: 2026-05-26T18:49:19.750

Link: CVE-2026-8427

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T23:00:14Z

Weaknesses
  • CWE-1275

    Sensitive Cookie with Improper SameSite Attribute

  • CWE-352

    Cross-Site Request Forgery (CSRF)