CVE-2026-8134
published 2026-05-21CVE-2026-8134: Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type…
PriorityP349high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.74%
49.9th percentile
Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing rights can exploit this to include arbitrary readable files on the server. Combined with the file uploader's extension-only validation (which permits PHP code in files saved with image extensions like .png), this can result in authenticated remote code execution. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 9.4 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H Thanks Yonatan Drori (Tenzai) for reporting.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| concrete5 | concrete5 | >= 0 < 9.5.1 | 9.5.1 |
| concrete_cms | concrete_cms | 5.0 – 9.5.0 | — |
| concretecms | concrete_cms | <= 9.5.0 | — |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-645j-cm4x-3xvw: Concrete CMS 9
ghsa_unreviewed·2026-05-21
CVE-2026-8134 [CRITICAL] CWE-23 GHSA-645j-cm4x-3xvw: Concrete CMS 9
Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing rights can exploit this to include arbitrary readable files on the server. Combined with the file uploader's extension-only validation (which permits PHP code in files saved with image extensions like .png), this can result in authenticated remote code execution. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 9.4 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H Thanks Yonatan Drori (Tenzai) for reporting.
GHSA
Concrete CMS Vulnerable to Relative Path Traversal
ghsa·2026-05-21
CVE-2026-8134 [CRITICAL] CWE-23 Concrete CMS Vulnerable to Relative Path Traversal
Concrete CMS Vulnerable to Relative Path Traversal
Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing rights can exploit this to include arbitrary readable files on the server. Combined with the file uploader's extension-only validation (which permits PHP code in files saved with image extensions like .png), this can result in authenticated remote code execution. Concrete CMS thanks Yonatan Drori (Tenzai) for reporting this issue.
VulDB
Concrete CMS up to 9.5.0 File Upload ptComposerFormLayoutSetControlCustomTemplate filename control (EUVD-2026-31335)
vuldb·2026-05-21·CVSS 9.4
CVE-2026-8134 [CRITICAL] Concrete CMS up to 9.5.0 File Upload ptComposerFormLayoutSetControlCustomTemplate filename control (EUVD-2026-31335)
A vulnerability labeled as problematic has been found in Concrete CMS up to 9.5.0. The affected element is an unknown function of the component File Upload Handler. Executing a manipulation of the argument ptComposerFormLayoutSetControlCustomTemplate can lead to improper control of filename for include/require statement in php program ('php remote file inclusion').
The identification of this vulnerability is CVE-2026-8134. The attack may be launched remotely. There is no exploit available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-21
Published