CVE-2026-8140

medium

Published 2026-05-21 · Modified 2026-05-26

CVSS v3

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CVSS v2

—

VIR risk

6.5

Description

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/<remoteId>. The download() method in concrete/controllers/single_page/dashboard/extend/install.php checks only the canInstallPackages() permission before fetching a remote marketplace package and writing it to the server's DIR_PACKAGES directory. Because the endpoint is a state-changing GET route with no token enforcement, an attacker who can cause an authenticated administrator to visit a crafted page can force an arbitrary marketplace package to be downloaded. In order to be vulnerable, the victim must be passing canInstallPackages() and the site must be connected to the Concrete marketplace. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting.

Predictions

Exploit likelihood

75%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: ff5b8ace-8b95-4078-9743-eac1ca5451de — https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes

Application impact

Vendor	Product	Versions	Fixed
concretecms	concrete_cms	`{"endIncluding":"9.5.0"}`

References

https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes

CWEs

CWE-352

Verify integrity in audit chain (admin only). AS-IS.