Description
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Published: 2026-05-21
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS 9 before 9.5.0 contains a Cross‑Site Request Forgery flaw in the /controllers/backend/file rescanMultiple() endpoint. The flaw arises because the action does not enforce proper CSRF protection, allowing an attacker to force a logged‑in user to trigger a file rescan. Although the vulnerability does not enable arbitrary code execution or data exfiltration, it can still disrupt site administration by unnecessarily scanning files, potentially causing performance degradation in a busy environment.

Affected Systems

The affected product is Concrete CMS 9, specifically any installation running a version earlier than 9.5.0. These installations expose the vulnerable rescanMultiple() function in the backend controller, which can be accessed by authenticated users from the administrative interface.

Risk and Exploitability

The CVSS v4.0 score is 2.3, indicating low severity, and the system is not listed in CISA KEV. The vector reflects a network attack (AV:N) with a low complexity requirement (AC:L) that needs user interaction (UI:P) and no special privileges (PR:N). Thus, an adversary would need to lure an authenticated administrator to unknowingly activate the rescan. The EPSS score is not available, but the probability of exploitation is low based on the limited impact and absence of public exploit evidence.

Generated by OpenCVE AI on May 21, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to version 9.5.0 or later, which removes the vulnerable endpoint.
  • Ensure that CSRF validation is enabled for all backend actions, verifying that tokens are checked before processing requests.
  • If the rescanMultiple() functionality is not required for your deployment, disable or remove that endpoint to eliminate the attack surface.

Generated by OpenCVE AI on May 21, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Title Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple()
Weaknesses CWE-1275
CWE-352
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T21:23:52.318Z

Reserved: 2026-05-12T18:20:29.732Z

Link: CVE-2026-8434

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T22:16:51.933

Modified: 2026-05-21T22:16:51.933

Link: CVE-2026-8434

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T22:45:20Z

Weaknesses