Primary

Context

Concrete CMS Cross-Site Request Forgery Vulnerability in Core Update Process

Vulnerability

Patched

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Concrete CMS versions through 9.5.0. The issue arises because the application emits a CSRF token in the 'local_available_update.php' view, but the corresponding 'do_update()' method in the update controller does not validate this token. As a result, an attacker can craft a cross-site POST request that triggers a core CMS update to a version specified by the attacker. For exploitation, the victim must have the 'canUpgrade()' permission, and a valid update version must be available under 'DIR_CORE_UPDATES'.

Impact

Exploitation of this vulnerability allows for unauthorized core CMS updates, potentially leading to other vulnerabilities being exploited or causing issues with the site's functionality.

Remediation

Users can update to Concrete CMS version 9.5.1 or later, where this vulnerability has been fixed.

Added: May 21, 2026, 9:20 PM

Updated: May 21, 2026, 9:20 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

6.2

remediation

7.7

relevance

9.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

6.2

remediation

7.7

relevance

9.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Concrete CMS Cross-Site Request Forgery Vulnerability in Core Update Process

Vulnerability

Impact

Remediation

Affected Products

Concrete CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating