CVE-2026-8421

Source
https://cve.org/CVERecord?id=CVE-2026-8421
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8421.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-8421
Aliases
Published
2026-05-21T20:25:11.868Z
Modified
2026-07-15T01:49:18.986684536Z
Severity
  • 7.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Concrete CMS 9.5.0 and below is vulnerable to CSRF on install_package() with conditional token bypass leading to RCE
Details

Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the installpackage() method of concrete/controllers/singlepage/dashboard/extend/install.php.  An attacker who can cause an authenticated administrator to visit a crafted page,  and who has placed or caused a package to be present under DIR_PACKAGES/<handle>/, can force the installation of that package without any CSRF protection. Package installation executes the package controller's install() method as the web server user, enabling remote code execution.  In order to be vulnerable, the victim must be passing canInstallPackages. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks  https://github.com/maru1009  for reporting.

Database specific
{
    "cwe_ids": [
        "CWE-352"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8421.json",
    "cna_assigner": "ConcreteCMS"
}
References

Affected packages

Git / github.com/concretecms/concretecms

Affected ranges

Type
GIT
Repo
https://github.com/concretecms/concretecms
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "5.0"
        },
        {
            "last_affected": "9.5.0"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "9.5.1"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

5.*
5.7.0
5.7.0.1
5.7.0.3
5.7.0.4
5.7.1
5.7.2
5.7.2.1
5.7.3
5.7.3.1
5.7.4.1
5.7.5.2
5.7.5.5
5.7.5.6
5.7.5.7
8.*
8.1.0
8.2.0
8.2.0RC2
8.2.1
8.3.1
8.4.1
9.*
9.3.0
9.3.1
9.3.2
9.3.3
9.3.4
9.3.5
9.3.6
9.3.7
9.4.0
9.4.0RC1
9.4.0RC2
9.4.1
9.4.2
9.4.3
9.4.4
9.5.0
9.5.0RC1
9.5.0RC2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8421.json"