CVE-2026-8417
published 2026-05-21CVE-2026-8417: Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/. The do_update() method in…
PriorityP346high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.12%
2.3th percentile
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/. The do_update() method in concrete/controllers/single_page/dashboard/extend/update.php checks only canInstallPackages() before executing upgradeCoreData() and upgrade() on the named package's controller. Because the endpoint is a state-changing GET route with no token enforcement, an attacker can force an authenticated administrator to trigger a package upgrade via a single cross-site navigation.In order to be vulnerable, the victim must be passing canInstallPackages() and and a target package must already be already installed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| concrete5 | concrete5 | >= 0 < 9.5.1 | 9.5.1 |
| concrete_cms | concrete_cms | 5.0 – 9.5.0 | — |
| concretecms | concrete_cms | < 9.5.1 | 9.5.1 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.07.5HIGHCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Concrete CMS up to 9.5.0 do_update cross-site request forgery (EUVD-2026-31334)
vuldb·2026-05-21·CVSS 7.5
CVE-2026-8417 [HIGH] Concrete CMS up to 9.5.0 do_update cross-site request forgery (EUVD-2026-31334)
A vulnerability classified as problematic has been found in Concrete CMS up to 9.5.0. This impacts the function do_update of the file /dashboard/extend/update/do_update/. This manipulation causes cross-site request forgery.
This vulnerability is tracked as CVE-2026-8417. The attack is possible to be carried out remotely. No exploit exists.
GHSA
Concrete does not validate a CSRF token before processing requests to `/dashboard/extend/update/do_update/<pkgHandle>`
ghsa·2026-05-21
CVE-2026-8417 [HIGH] CWE-352 Concrete does not validate a CSRF token before processing requests to `/dashboard/extend/update/do_update/<pkgHandle>`
Concrete does not validate a CSRF token before processing requests to `/dashboard/extend/update/do_update/`
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/. The do_update() method in concrete/controllers/single_page/dashboard/extend/update.php checks only canInstallPackages() before executing upgradeCoreData() and upgrade() on the named package's controller. Because the endpoint is a state-changing GET route with no token enforcement, an attacker can force an authenticated administrator to trigger a package upgrade via a single cross-site navigation.In order to be vulnerable, the victim must be passing canInstallPackages() and and a target package must already be already installed. The Concrete CMS security team
GHSA
GHSA-jr5g-qv3g-rxxx: Concrete CMS 9
ghsa_unreviewed·2026-05-21
CVE-2026-8417 [HIGH] CWE-352 GHSA-jr5g-qv3g-rxxx: Concrete CMS 9
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/. The do_update() method in concrete/controllers/single_page/dashboard/extend/update.php checks only canInstallPackages() before executing upgradeCoreData() and upgrade() on the named package's controller. Because the endpoint is a state-changing GET route with no token enforcement, an attacker can force an authenticated administrator to trigger a package upgrade via a single cross-site navigation.In order to be vulnerable, the victim must be passing canInstallPackages() and and a target package must already be already installed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-21
Published