Description
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Published: 2026-05-21
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw in the file star() controller of Concrete CMS. When an unauthenticated CSRF token is missing, the server processes file operations requested by the victim’s browser. The impact is limited to the actions that the authenticated user can perform, such as file deletion or renaming, and the CVE is rated low with a CVSS score of 2.3. The description does not explicitly state authentication requirements, but it is inferred that the attacker must coerce an authenticated user to submit the malicious request.

Affected Systems

All installations of Concrete CMS 9 that are running any version earlier than 9.5.0 are affected. No further version granularity is specified, so the entire series of releases before 9.5.0 is considered vulnerable.

Risk and Exploitability

Risk is low: CVSS of 2.3, EPSS not available, not listed in CISA KEV. The CSRF weakness (CWE‑352) typically requires the victim to be logged in and the attacker to deliver a forged request, often through social engineering. Because the flaw relies on missing token validation, it can be mitigated by adding CSRF protection or by disabling the endpoint if unnecessary.

Generated by OpenCVE AI on May 21, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Concrete CMS 9.5.0 or later.
  • Verify that CSRF tokens are enforced on all backend endpoints.
  • Review file operation logs for unauthorized changes and adjust access controls if necessary.

Generated by OpenCVE AI on May 21, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Title Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star()
Weaknesses CWE-1275
CWE-352
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T21:26:17.256Z

Reserved: 2026-05-12T18:14:59.796Z

Link: CVE-2026-8432

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T22:16:51.700

Modified: 2026-05-21T22:16:51.700

Link: CVE-2026-8432

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T22:45:20Z

Weaknesses