CVE-2026-8421HIGH 8.8EPSS p6.7%

CVE-2026-8421CVE-2026-8421

Description

Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php.  An attacker who can cause an authenticated administrator to visit a crafted page,  and who has placed or caused a package to be present under DIR_PACKAGES/<handle>/, can force the installation of that package without any CSRF protection. Package installation executes the package controller's install() method as the web server user, enabling remote code execution.  In order to be vulnerable, the victim must be passing canInstallPackages. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks  https://github.com/maru1009  for reporting.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS0.17% probability of exploitation · percentile 6.7% · 2026-06-19T12:03:05Z
Published2026-05-21
Last modified2026-05-26

Underlying weaknesses· 1

CWE-352

References

  1. https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes

1

TypeTargetConfidenceTier
WeaknessCross-Site Request Forgery (CSRF)cwe-3520%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-8417
CVE
CVE-2026-8426
CVE
CVE-2026-8428
CVE
CVE-2026-8416
CVE
CVE-2026-8412
CVE
CVE-2026-8413
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.