CSRF Vulnerability in Concrete CMS 9.5.0 and Below
CVE-2026-8426

7.5HIGH

Key Information:

Vendor: Concrete Cms
Status: Concrete Cms
Vendor: CVE Published:; 21 May 2026

🔔 Create Concrete Cms Vulnerability Alert

What is CVE-2026-8426?

Concrete CMS versions 9.5.0 and earlier are susceptible to a Cross-Site Request Forgery (CSRF) vulnerability that fails to validate CSRF tokens when processing requests to the update endpoint. An attacker controlling the returned remote package can exploit this weakness by injecting malicious code that gets executed during an automatic upgrade process. This can lead to remote code execution under the privileges of the web server user if the victim site is connected to the Concrete marketplace and the victim's configuration allows package installations. This vulnerability emphasizes the critical need for improved security measures against unauthorized requests and malicious package manipulation.

Affected Version(s)

Concrete CMS 5.0 <= 9.5.0

References

https://documentation.concretecms.org/9-x/developers/intr...

release-notes

CVSS V4

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 21, 2026
Vulnerability Reserved
May 12, 2026

CVE-2026-8426 Data

JSON