Concrete CMS 9 before 9.5.0 allows attackers to trigger the backend file rescan operation via a crafted request, enabling unauthorized file scanning without authentication. The weakness is a classic Cross‑Site Request Forgery (CWE‑352) coupled with a lack of proper object‑level authorization (CWE‑1275). Although the CVSS score is 2.3, indicating a low severity, the impact is that users who inadvertently perform the action may cause the web application to rescan files, potentially leading to resource exhaustion or unintended exposure of file metadata. The vulnerability does not grant direct code execution or data exfiltration but can be leveraged to disrupt normal system operations.

Concrete CMS users running any version of Concrete CMS 9 prior to the 9.5.0 release are affected. This includes all stable 9.x releases that have not been patched to 9.5.0 or later. The affected product is the Concrete CMS web content management system, specifically the backend file rescanning functionality exposed through concrete/controllers/backend/file rescan().

The canonical CVSS vector indicates that no special privileges are required, the attack requires user interaction, and the theoretical impact covers only a limited set of actions. Without a valid session, the attacker's ability to trigger the rescan is constrained, and the EPSS score is currently unavailable, so there is no evidence of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Therefore, while exploitation is unlikely at scale, the risk remains if compromised users or accounts are abused, potentially allowing attackers to disrupt file management workflows. The most likely attack path involves an authenticated user unknowingly visiting a malicious URL that forces the rescan, triggering the exploit with minimal effort.