CVE-2026-8135
published 2026-05-21CVE-2026-8135: Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An…
PriorityP350high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.47%
37.2th percentile
Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with privileges to add blocks to an area can bypass the intended protection mechanism (_fromCIF === true), which normally restricts malicious inputs over form POST requests, by leveraging the REST API functionality. Because the REST API parses requests using json_decode(), the string "true" is evaluated as a strict PHP Boolean(true). This bypass allows the attacker to inject a malicious serialized payload into the block's filterFields database column. The payload will subsequently be executed when the block's data is viewed or edited by an administrator leading to complete server takeover (RCE).The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with a vector of CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks Nguyễn Văn Thiện https://github.com/Thien225409 for reporting
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| concrete5 | concrete5 | >= 0 < 9.5.1 | 9.5.1 |
| concrete_cms | concrete_cms | 5.0 – 9.5.0 | — |
| concretecms | concrete_cms | <= 9.5.0 | — |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.9HIGHCVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Concrete CMS Vulnerable to Deserialization of Untrusted Data
ghsa·2026-05-21
CVE-2026-8135 [HIGH] CWE-502 Concrete CMS Vulnerable to Deserialization of Untrusted Data
Concrete CMS Vulnerable to Deserialization of Untrusted Data
Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with privileges to add blocks to an area can bypass the intended protection mechanism (_fromCIF === true), which normally restricts malicious inputs over form POST requests, by leveraging the REST API functionality. Because the REST API parses requests using json_decode(), the string "true" is evaluated as a strict PHP Boolean(true). This bypass allows the attacker to inject a malicious serialized payload into the block's filterFields database column. The payload will subsequently be executed when the block's data is viewed or edited by an administrator lea
VulDB
Concrete CMS up to 9.5.0 REST API json_decode deserialization (EUVD-2026-31336)
vuldb·2026-05-21·CVSS 8.9
CVE-2026-8135 [HIGH] Concrete CMS up to 9.5.0 REST API json_decode deserialization (EUVD-2026-31336)
A vulnerability marked as problematic has been reported in Concrete CMS up to 9.5.0. The impacted element is the function json_decode of the component REST API. The manipulation leads to deserialization.
This vulnerability is referenced as CVE-2026-8135. Remote exploitation of the attack is possible. No exploit is available.
GHSA
GHSA-pv2v-6w2v-97x6: Concrete CMS 9
ghsa_unreviewed·2026-05-21
CVE-2026-8135 [HIGH] CWE-502 GHSA-pv2v-6w2v-97x6: Concrete CMS 9
Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with privileges to add blocks to an area can bypass the intended protection mechanism (_fromCIF === true), which normally restricts malicious inputs over form POST requests, by leveraging the REST API functionality. Because the REST API parses requests using json_decode(), the string "true" is evaluated as a strict PHP Boolean(true). This bypass allows the attacker to inject a malicious serialized payload into the block's filterFields database column. The payload will subsequently be executed when the block's data is viewed or edited by an administrator leading to complete server takeover (RCE).The Concrete CMS securi
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-21
Published