CVE-2026-3452

High CVSS: 8.9

Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks YJK ( @YJK0805 https://hackerone.com/yjk0805 ) of ZUSO ART https://zuso.ai/ for reporting.

Vendor

Concretecms

Product

Concrete Cms

CWE

CWE-502

Yayın Tarihi

2026-03-04 02:15:54

Güncelleme

2026-03-04 21:36:39

Source Identifier

ff5b8ace-8b95-4078-9743-eac1ca5451de

KEV Date Added

Kategoriler

CWE-502 Concrete Cms HIGH Concretecms 2026

Referanslar

https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes https://github.com/concretecms/concretecms/pull/12826/changes/167f16e4805d8ab546d2997c753ac21bf4854920://

Benzer Kayıtlar

Medium

CVE-2026-30662

ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method…

Medium

CVE-2026-3241

In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the "Legacy Form" block…

Medium

CVE-2026-3242

In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concre…

Low

CVE-2026-2994

Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configu…

Medium

CVE-2026-3240

In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored…

Medium

CVE-2026-3244

In Concrete CMS below version 9.4.8, A stored cross-site scripting (XSS) vulnerability exists in the search block where…