Volerion logoVolerion
Volerion logoVolerion

Concrete CMS Cross-Site Request Forgery Vulnerability in Package Download Endpoint

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Concrete CMS versions through 9.5.0. The issue arises in the package download process within the dashboard extension installation feature. The vulnerable endpoint, accessed via a state-changing GET request, lacks proper CSRF token validation. This oversight allows an attacker to manipulate an authenticated administrator into downloading arbitrary marketplace packages, which are then saved to the server's packages directory. For exploitation, the targeted administrator must have the 'canInstallPackages()' permission, and the site must be connected to the Concrete marketplace.

Impact

Exploitation of this vulnerability could lead to unauthorized installation of marketplace packages, potentially allowing for malicious code execution if the installed package contains such code.

Remediation

Users can upgrade to Concrete CMS version 9.5.1 or later, where this vulnerability has been fixed.

Added: May 21, 2026, 9:29 PM
Updated: May 21, 2026, 9:29 PM

Vulnerability Rating

Custom Algorithm
spread
3.4
impact
0.6
exploitability
6.8
remediation
7.7
relevance
9.1
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.