Remote Code Execution Vulnerability in Concrete CMS by PHP Object Injection
CVE-2026-3452

8.9HIGH

Key Information:

Vendor: Concrete Cms
Status: Concrete Cms
Vendor: CVE Published:; 4 March 2026

🔔 Create Concrete Cms Vulnerability Alert

What is CVE-2026-3452?

Concrete CMS prior to version 9.4.8 is susceptible to a serious security flaw that allows Remote Code Execution through PHP object injection. This issue arises when an authenticated administrator can inject attacker-controlled serialized data into the configuration of the Express Entry List block via the columns parameter. Since this data is later processed using the unserialize() function without adequate class restrictions or integrity checks, it presents an opportunity for malicious actors to execute arbitrary code. This vulnerability highlights the importance of securing admin functionalities and ensuring data integrity in web applications.

Affected Version(s)

Concrete CMS 5 < 9.4.8

References

https://github.com/concretecms/concretecms/pull/12826/cha...

https://documentation.concretecms.org/9-x/developers/intr...

CVSS V4

Score:

8.9

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 4, 2026
Vulnerability Reserved
Mar 2, 2026

Credit

YJK (@YJK0805) of ZUSO ART

CVE-2026-3452 Data

JSON