CVE-2026-10721

Source
https://cve.org/CVERecord?id=CVE-2026-10721
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10721.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-10721
Published
2026-06-10T06:59:03.161Z
Modified
2026-07-08T08:08:18.227199413Z
Severity
  • 8.4 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components
Details

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the  in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 for reporting.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10721.json",
    "cna_assigner": "ConcreteCMS",
    "cwe_ids": [
        "CWE-502"
    ]
}
References

Affected packages

Git / github.com/concretecms/concretecms

Affected ranges

Type
GIT
Repo
https://github.com/concretecms/concretecms
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "5"
        },
        {
            "last_affected": "9.5.1"
        }
    ]
}

Affected versions

5.*
5.7.0
5.7.0.1
5.7.0.3
5.7.0.4
5.7.1
5.7.2
5.7.2.1
5.7.3
5.7.3.1
5.7.4.1
5.7.5.2
5.7.5.5
5.7.5.6
5.7.5.7
8.*
8.1.0
8.2.0
8.2.0RC2
8.2.1
8.3.1
8.4.1
9.*
9.3.0
9.3.1
9.3.2
9.3.3
9.3.4
9.3.5
9.3.6
9.3.7
9.4.0
9.4.0RC1
9.4.0RC2
9.4.1
9.4.2
9.4.3
9.4.4
9.5.0
9.5.0RC1
9.5.0RC2
9.5.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10721.json"