CVE-2026-7888

216.73.217.22

· Published 03/06/2026 19:16 · Modified 04/06/2026 15:20

Labels: CVE-2026-7888 2026-06-03 CVE-2026-7888 CWE-502 ff5b8ace-8b95-4078-9743-eac1ca5451de

Essential information

Published: 03/06/2026 19:16
Modified: 04/06/2026 15:20
Author: —
Creator: —
CVSS: 8.4 HIGH (v3) 8.4 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 and Sanjorn Keeratirungsan (dizconnect) for both independently reporting. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.4 with vector CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N.

NVD status

Status: Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source: ff5b8ace-8b95-4078-9743-eac1ca5451de
NVD: View on NVD

Affected products (CPE)

Product	CPE
concrete / concrete cms	`cpe:2.3:a:concrete:concrete_cms:<9.5.2:::::::*`