CSRF Vulnerability in Concrete CMS Versions Up to 9.5.0
CVE-2026-8140

7.5HIGH

Key Information:

Vendor: Concrete Cms
Status: Concrete Cms
Vendor: CVE Published:; 21 May 2026

🔔 Create Concrete Cms Vulnerability Alert

What is CVE-2026-8140?

Concrete CMS versions 9.5.0 and earlier are susceptible to a Cross-Site Request Forgery (CSRF) vulnerability due to inadequate validation of CSRF tokens when processing requests to install packages from the remote marketplace. In particular, the download method in the dashboard's extend/install controller allows an attacker to leverage a crafted page to compel an authenticated administrator to download arbitrary packages without proper authorization. This vulnerability requires the victim to possess the 'canInstallPackages()' permission, and for the site to be linked to the Concrete marketplace, highlighting a significant risk to administrators managing package installations.

Affected Version(s)

Concrete CMS 5.0 <= 9.5.0

References

https://documentation.concretecms.org/9-x/developers/intr...

release-notes

CVSS V4

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 21, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-8140 Data

JSON