Primary

Context

Concrete CMS Remote Code Execution Vulnerability in Express Entry List Block Controller

Vulnerability

Patched

A remote code execution vulnerability exists in Concrete CMS versions 9.5.0 and prior, due to insecure deserialization in the Express Entry List block controller. A rogue administrator with the ability to add blocks can exploit this vulnerability by bypassing the protection mechanism that normally restricts malicious inputs. This is achieved through the REST API, which parses requests in a way that allows the injection of harmful serialized payloads into the block's filterFields database column. Once the payload is injected, it is executed when the block is viewed or edited by an administrator, potentially leading to a complete server takeover.

Impact

Exploitation of this vulnerability allows for remote code execution on the server.

Remediation

Users can upgrade to Concrete CMS version 9.5.1 or later, where this vulnerability has been fixed.

Added: May 21, 2026, 9:29 PM

Updated: May 21, 2026, 9:29 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

7.5

exploitability

4.4

remediation

7.7

relevance

9.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

7.5

exploitability

4.4

remediation

7.7

relevance

9.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Concrete CMS Remote Code Execution Vulnerability in Express Entry List Block Controller

Vulnerability

Impact

Remediation

Affected Products

Concrete CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating