CVE-2026-8421

high

Published 2026-05-21 · Modified 2026-05-26

CVSS v3

8.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2

—

VIR risk

8.8

Description

Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php. An attacker who can cause an authenticated administrator to visit a crafted page, and who has placed or caused a package to be present under DIR_PACKAGES/<handle>/, can force the installation of that package without any CSRF protection. Package installation executes the package controller's install() method as the web server user, enabling remote code execution. In order to be vulnerable, the victim must be passing canInstallPackages. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting.

Predictions

Exploit likelihood

92%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: ff5b8ace-8b95-4078-9743-eac1ca5451de — https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes

Application impact

Vendor	Product	Versions	Fixed
concretecms	concrete_cms	`{"endExcluding":"9.5.1"}`	`9.5.1`

References

https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes

CWEs

CWE-352

Verify integrity in audit chain (admin only). AS-IS.