CVE-2026-8413
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design
In short
Concrete CMS 9 before version 9.5.0 has a weakness that allows attackers to trick users into performing unwanted bulk design changes on pages without their knowledge. An attacker can craft a malicious link that, when clicked by a logged-in CMS user, silently modifies page designs.
Technical detail
CSRF vulnerability in the bulk page design dialog endpoint (concrete/controllers/dialog/page/bulk/design) allows an attacker to forge requests on behalf of authenticated users. Attack requires user interaction (clicking a malicious link) and results in unauthorized modification of page integrity. No authentication token validation is performed on state-changing operations.
Summary generated and translated by AI from the official description.
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products
Concrete CMS · Concrete CMSWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →