216.73.217.80

CVE-2026-8421

· Published 21/05/2026 21:16 · Modified 21/05/2026 21:16

Labels: CVE-2026-8421 2026-05-21CVE-2026-8421CWE-352ff5b8ace-8b95-4078-9743-eac1ca5451de

Essential information

Published
21/05/2026 21:16
Modified
21/05/2026 21:16
Author
Creator
CVSS
7.5 HIGH (v3) 7.5 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php.  An attacker who can cause an authenticated administrator to visit a crafted page,  and who has placed or caused a package to be present under DIR_PACKAGES/<handle>/, can force the installation of that package without any CSRF protection. Package installation executes the package controller's install() method as the web server user, enabling remote code execution.  In order to be vulnerable, the victim must be passing canInstallPackages. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks  https://github.com/maru1009  for reporting.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
ff5b8ace-8b95-4078-9743-eac1ca5451de
NVD
View on NVD

Affected products (CPE)

ProductCPE
concrete / concrete cms cpe:2.3:a:concrete:concrete_cms:<9.5.1:*:*:*:*:*:*

References