Cross Site Request Forgery Vulnerability in Concrete CMS by Concrete Solutions
CVE-2026-8434

2.3LOW

Key Information:

Vendor: Concrete Cms
Status: Concrete Cms
Vendor: CVE Published:; 21 May 2026

🔔 Create Concrete Cms Vulnerability Alert

What is CVE-2026-8434?

A CSRF vulnerability exists in Concrete CMS versions prior to 9.5.0, specifically in the backend file rescanMultiple() controller. This flaw allows an attacker to execute unauthorized commands on behalf of a logged-in user without their consent. Proper measures should be implemented to mitigate potential exploits, ensuring user requests are validated and authenticated.

Affected Version(s)

Concrete CMS 9.0 <= 9.5.0

References

https://documentation.concretecms.org/9-x/developers/intr...

release-notes

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 21, 2026
Vulnerability Reserved
May 12, 2026

Credit

Yonatan Drori (Tenzai)

CVE-2026-8434 Data

JSON