Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.9
Concrete CMS < 9.4.8 allows attackers to execute malicious code
CVE-2026-3452
GHSA-gj26-w59c-29mf
Summary
Concrete CMS versions below 9.4.8 have a security flaw that allows an attacker with administrator access to inject malicious code. This could potentially allow the attacker to take control of the website. To fix this issue, update to version 9.4.8 or later.
What to do
- Update concrete5 concrete5 to version 9.4.8.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| concrete5 | concrete5 | <= 9.4.8 | 9.4.8 |
| concretecms | concrete_cms | <= 9.4.8 | – |
Original title
Concrete CMS vulnerable to Remote Code Execution by stored PHP object injection
Original description
Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks.
The Concrete CMS security team thanks YJK ( @YJK0805 https://hackerone.com/yjk0805 ) of ZUSO ART https://zuso.ai/ for reporting.
The Concrete CMS security team thanks YJK ( @YJK0805 https://hackerone.com/yjk0805 ) of ZUSO ART https://zuso.ai/ for reporting.
nvd CVSS3.1
7.2
nvd CVSS4.0
8.9
Vulnerability type
CWE-502
Deserialization of Untrusted Data
- https://documentation.concretecms.org/9-x/developers/introduction/version-histor... Release Notes Patch Vendor Advisory
- https://github.com/concretecms/concretecms/pull/12826/changes/167f16e4805d8ab546... Broken Link
- https://nvd.nist.gov/vuln/detail/CVE-2026-3452
- https://github.com/concretecms/concretecms/pull/12826/changes/167f16e4805d8ab546...
- https://github.com/advisories/GHSA-gj26-w59c-29mf
Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026